RE: Limiting user access to a subset of machines with OpenLDAP....

["Kelli Wolfe" <kelli@inlet.com>]

Here's how we limited access to a specific machine:

The LDAP entry for the user needs to have an entry for the machine(s)
they are allowed to access.  This entry is arbitrary, for the
moment, we're using the "host" attribute of the posixAccount.
(Which I don't believe is an actual field in that object,
but it demonstrates the idea.)

In the user's LDIF put:

objectClass: posixAccount
host: machine.yourhost.net

Add your authentication scheme to /etc/ldap.conf on the client
machine(s):

# Filter to AND with uid=%s
pam_filter &(objectclass=posixAccount) (host=machine.yourhost.net)

And that's it.  Pretty sweet, it only needs a specific entry
on the client machine to identify itself.

I hope that is helpful,
Kelli

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Kevin Riggins
Sent: Monday, September 25, 2000 9:21 AM
To: OpenLDAP
Subject: Limiting user access to a subset of machines with OpenLDAP....


I have user authentication using LDAP working in a test network, but need
some help with one final issue.  How can I restrict a uses access to only
certain machines?  For instance,  I have a user named testuser and machines
named m1, m2, and m3.  I would like testuser to be able to login to m1 and
m2 but not m3 and would like to control this through LDAP.  Any help
appreciated.

Thanks,
Kevin Riggins
Dice.com
email: kriggins@dice.com