[Date Prev][Date Next]
I just begin to play with Directory administrator application, and found
that it can limit access that different users have to different hosts.
I noticed that what it really does is adding attribute type 'host'
several times for each host to a user's entry.
Besides user's entry have to be objectClass 'account'. Since this is a
structural objectClass, I changed it to auxiliary, to avoid having two
structural objectClasses for each user entry (the other one is
Now, I'd like to use this functionality somehow, but I don't know how.
I have nss_ldap configured on one host (host_a.domain.com) , and this is
host is NOT listed in user's ldap entry as host: host_A.domain.com, but
the user can still log into it, so I think it's not the way to do this.
I hope everything is clear.
The goal is to let/deny different users to log to different servers.
I only did something like this with routers. Users are authenticated in
radius, and radius, depending on the router's ip address lets user log
in or not. But it's the radius that chooses which ip is OK for each
user. LDAP is used only to check the password.