[Date Prev][Date Next]
Re: Deny auth based on client
Andrew C Altepeter wrote:
> Hello all,
> I am working on setting up openldap as a centralized authenticaiton system
> for my company that has over 5000 accounts. My question is regarding
> pam_ldap, so please forgive me if this is the wrong place to post this.
> Here is the setup: We have one rh7.1 box running slapd, and there are two
> main divisions on my company, each having their own sun enterprise 450
> What I would like to do is add some sort of attribute to each user object
> inside the ldap database that would either allow or deny access to the
> Say I have a user names jo. He should have access to sun1, but not sun2.
> Is there a way where I can put a field in his entry in ldap that says
> sun1, and when he goes to sun1 to login, he is allowed, but can't login to
> sun2 because an entry matching sun2 isn't present in his ldap entry?
> Can this be done strictly within ldap (in which case this question is
> relevant to this newsgroup), and/or is there a way to do this via
Hmm, the logical way to do this in ldap would be to rearrange your users
to reflect your company structure.
jo belongs to division1 and should have access to sun1, but not to sun2.
eric belongs to division2 and has access to sun2, but not sun1.
Simply move jo to:
and eric to:
then configure your pam_ldap search base of sun1 to use:
and the one of sun2 to:
and you are done.
Second way, using attributes:
Add a attribute for every user that describes his/her rights to access a
and then put
into pam_ldap.conf for sun1 and
into pam_ldap.conf for sun2
Note: you will have to write your own schema if you
want to add a custoum attribute to ldap.