[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Deny auth based on client

Andrew C Altepeter wrote:

> Hello all,
> I am working on setting up openldap as a centralized authenticaiton system
> for my company that has over 5000 accounts.  My question is regarding
> pam_ldap, so please forgive me if this is the wrong place to post this.
> Here is the setup:  We have one rh7.1 box running slapd, and there are two
> main divisions on my company, each having their own sun enterprise 450
> server.
> What I would like to do is add some sort of attribute to each user object
> inside the ldap database that would either allow or deny access to the
> server.
> Say I have a user names jo.  He should have access to sun1, but not sun2.
> Is there a way where I can put a field in his entry in ldap that says
> sun1, and when he goes to sun1 to login, he is allowed, but can't login to
> sun2 because an entry matching sun2 isn't present in his ldap entry?
> Can this be done strictly within ldap (in which case this question is
> relevant to this newsgroup), and/or is there a way to do this via
> pam_ldap?

Hmm, the logical way to do this in ldap would be to rearrange your users
to reflect your company structure.
for ex.:
  jo belongs to division1 and should have access to sun1, but not to sun2.
  eric belongs to division2 and has access to sun2, but not sun1.

Simply move jo to:
and eric to:

then configure your pam_ldap search base of sun1 to use:
and the one of sun2 to:
and you are done.

Second way, using attributes:
Add a attribute for every user that describes his/her rights to access a

and then put

pam_filter machineaccess=sun1
into pam_ldap.conf for sun1 and

pam_filter machineaccess=sun2
into pam_ldap.conf for sun2

Note: you will have to write your own schema if you
         want to add a custoum attribute to ldap.
WfG, chris