[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication via Groups ?

To: Andreas Grosse <openldap-sw@majestyk.de>
Subject: Re: Authentication via Groups ?
From: Adam Williams <adam@morrison-ind.com>
Date: Thu, 20 Dec 2001 12:01:20 -0500 (EST)
Cc: <openldap-software@OpenLDAP.org>
In-reply-to: <20011220175447.A2248@dawn.majestyk.de>

> We have one group "employees" containing every user (as a 
> posixAccount), and another group which splits into different 
> organisationalUnits (marketing,development etc.).
> Now we try to authenticate based on the groups:
>         [slapd.conf]
>         base ou=marketing,ou=groups,dc=mydomain,dc=de
>         pam_filter objectclass=posixGroup
>         pam_login_attribute memberUid
> Those groups are posixGroups and have a memberUid which is a valid uid
> from the "employees" group. 
> Is that going to work? Would 'uniquemember' better suit our needs than 
> 'memberUid'? Grateful for every comment,

If you want to restrict access to a service on a PAM enabled OS, I think 
it is better to let pam_ldap auth the password and restrict groups, etc... 
using the PAM module intended for that purpose, pam_listfile

auth       required     /lib/security/pam_listfile.so onerr=fail 
item=group sense=allow file=/etc/security/login_limit_list.conf
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth

where /etc/security/login_limit_list.conf looks something like - 

cis
root
sys
adm
informix

Just a list of groups.

Follow-Ups:
- Re: Authentication via Groups ?
  - From: Andreas Grosse <openldap-sw@majestyk.de>

Prev by Date: Re: ACL for PGP - WAS:Re: Storing Special German Characters in OpenLDAP as PGP -Directory
Next by Date: openLDAP LDIF __X__ standard LDIF
Index(es):
- Chronological
- Thread