[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Linux authentication/authorization against OpenLDAP

pam_ldap can use the `host' attribute to contain FQDN of machines onto
which you can log on. Would that help ? Alternatively, you could use the
search bases of nss_ldap (/etc/ldap.conf) to limit access to a group containing
a specific attribute (i.e. if the attribute doesn't have a certain value,
NSS won't "see" the user)

On Sat, 20 Jul 2002, David LaPorte wrote:

> I've configured several linux systems to authenticate against OpenLDAP,
> but I was wondering if a finer degree of authorization is possible.  For
> instance, I'd like to assign our administrators to several groups
> ("security", "admins", "network", etc) and grant access to some machines
> only to certain groups.  I understand this can be done at the
> application layer (the ssh.com SSH daemon we use includes some logic to
> limit access by group), but I'd like this to be transparent to the
> applications, since we use other remote access methods that also tie
> into PAM.
> Does this functionality exist, or I am going about this the entirely
> wrong way?
> Thanks!
> Dave LaPorte
> --
> David LaPorte
> dave@laportestyle.org