[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6496) nssov patch to better emulate pam_ldap behaviour

Full_Name: Kean Johnston
Version: HEAD
OS: Linux (CentOS 5.3)
URL: ftp://ftp.openldap.org/incoming/kean-johnston-100321.patch
Submission from: (NULL) (

The nssov manual page states that some of it's options "duplicates the original
pam_ldap authorization behavior". However, they don't quite. pam_ldap has the
ability for you to use "wildcards" in a user's host: attribute. I say
"wildcards" in quotes because the pam_ldap implementation does not actually use
regex matching, but rather check for two special strings, "*" and "!".

The ability to use actual wildcards, especially ones you can negate, on a per
user basis is extremely useful to an administrator of large networks. For
example you may want all developers to have access to the machines in
developers.mydomain.com but you want to disallow access to some of those
machines to contractors or interns.

This patch allows such behaviour, so it serves the dual purpose of actually
implementing existing pam_ldap behaviour in case people already depend on that,
as well as extends it to be a more generally usable feature by using actual
regular expressions. The code is simple, and the man page change describes it
well enough. Please consider adding this code to nssov. Thank you.