[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Deny auth based on client

Add an attribute "host" to the user entry, where the value is the
fully-qualified name of the host he's allowed to log into.  Add as many
of these "host" attributes as you need, each the name of a machine he's
allowed on.

The standard behavior is to allow access to all hosts if the "host"
attributes are missing, and allow only to the specified hosts is one or
more host attributes exist.

Andrew C Altepeter wrote:
> Hello all,
> I am working on setting up openldap as a centralized authenticaiton system
> for my company that has over 5000 accounts.  My question is regarding
> pam_ldap, so please forgive me if this is the wrong place to post this.
> Here is the setup:  We have one rh7.1 box running slapd, and there are two
> main divisions on my company, each having their own sun enterprise 450
> server.
> What I would like to do is add some sort of attribute to each user object
> inside the ldap database that would either allow or deny access to the
> server.
> Say I have a user names jo.  He should have access to sun1, but not sun2.
> Is there a way where I can put a field in his entry in ldap that says
> sun1, and when he goes to sun1 to login, he is allowed, but can't login to
> sun2 because an entry matching sun2 isn't present in his ldap entry?
> Can this be done strictly within ldap (in which case this question is
> relevant to this newsgroup), and/or is there a way to do this via
> pam_ldap?
> I really appreciate any help you have to offer.
> Thank you,
> Andy

Alan Sparks, Sr. UNIX Administrator	asparks@quris.com
Quris, Inc.				(720) 836-2058