[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authentication/groups/permissions


> Hello, I have authentication working great with ldap/nsswitch/pam.
> I was wondering how to handle group permissions, or basically how to
> emulate /etc/group.

I'm not sure if this is what you're looking for, but you can use for example 

# Group to enforce membership of
#pam_groupdn cn=bundy,ou=Groups,o=test,c=PL

in the ldap.conf of the nss_ldap package. It will only allow people in this 
group. Another solution is to use filters. For example:

# Filter to AND with uid=%s
pam_filter &(testServices=Shell)(testStatus=Active)

Where the testServices and testStatus are attributes in a new defined schema. 
When you use filters though, make sure that nss_ldap can't read the 
userPassword attributes or they won't work. To solve the problem use correct 
access lists, for example:

access to attrs=userPassword
       by self write
       by dn=uid=root,c=PL write
       by * compare

This gave me a lot of headache. This has something to do with pam_unix.o & 
company. Hope this helps.

Jacek Bochenek
"Smile, tomorrow will be worse!"