[Date Prev][Date Next]
Re: Users from /etc/passwd, passwords from LDAP?
Would be nice to use pam_filter, but a `grep -i pam_filter *' in the
latest nss_ldap_140 does not reveal that it is used.
Using pam_filter would ensure that a user cannot log on to the machine,
but nss_ldap would still consider the user to be local if a getpwent()
is made. That means, that for example, sendmail would consider the user
to be local. I'd prefer if the user doesn't show up at all, if she isn't
destined for this machine...
On 30 Jan 2001, Turbo Fredriksson wrote:
> Quoting "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>:
> > This is likely a FAQ on the firstname.lastname@example.org mailing list.
> > (likely nss_ldap takes as a parameter a search filter).
> The theory (I haven't bothered to try yet) is to utilise the 'pam_filter'
> in '/etc/pam_ldap.conf'...
> In theory you can have a object 'loginhost' or the like. That is, you want
> user 'xyz' to be able to login to host 'athena' and 'barrabas':
> dn: uid=xyz,...
> loginHost: athena
> loginHost: barrabas
> And on host 'athena' you would enter in /etc/pam_ldap.conf:
> pam_filter loginHost=athena
> And on 'barrabas':
> pam_filter loginHost=barrabas
> As said, this is theory (which I picked up here a couple of months ago). You
> will have to make your own objectClass to use this 'loginhost' though...
> > At 03:40 PM 1/29/01 -0800, Jeffrey W. Baker wrote:
> > >I wonder if it is possible to have the setup that I desire. I have some
> > >Linux and Solaris machines, nss_ldap from padl.com, and OpenLDAP 2.0. I
> > >wish to have all of my user information in the LDAP directory, which I
> > >have already done. I also want my users to be authenticated against the
> > >userPassword in LDAP, which I have also already done.
> > >
> > >The part that I find tricky is that I don't want every user in LDAP to be
> > >able to login to every machine. Let's say I have 500 users, and only 10
> > >of them should be logging in to a particular box. But I still want the
> > >usernames, passwords, and groups coming from LDAP.
> > >
> > >I would love to hear about an example of someone having already done this.
> > >
> > >Regards,
> > >Jeffrey Baker
> Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just
> ^^^^^ / /(_)_ __ _ ___ __ selective about who its friends are
> / / | | '_ \| | | \ \/ / Debian Certified Linux Developer
> _ /// / /__| | | | | |_| |> < Turbo Fredriksson email@example.com
> \\\/ \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden