[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication via Groups ?

> We have one group "employees" containing every user (as a 
> posixAccount), and another group which splits into different 
> organisationalUnits (marketing,development etc.).
> Now we try to authenticate based on the groups:
>         [slapd.conf]
>         base ou=marketing,ou=groups,dc=mydomain,dc=de
>         pam_filter objectclass=posixGroup
>         pam_login_attribute memberUid
> Those groups are posixGroups and have a memberUid which is a valid uid
> from the "employees" group. 
> Is that going to work? Would 'uniquemember' better suit our needs than 
> 'memberUid'? Grateful for every comment,

If you want to restrict access to a service on a PAM enabled OS, I think 
it is better to let pam_ldap auth the password and restrict groups, etc... 
using the PAM module intended for that purpose, pam_listfile

auth       required     /lib/security/pam_listfile.so onerr=fail 
item=group sense=allow file=/etc/security/login_limit_list.conf
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth

where /etc/security/login_limit_list.conf looks something like - 


Just a list of groups.