[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: host attribute

Hi Kuba!

You'll need pam_ldap to authenticate your users. In your ldap.conf - that one which is used by pam_ldap (e.g. /etc/ldap.conf or /etc/openldap/ldap.conf) you need to enable the checking. Insert the line

pam_check_host_attr yes

Now this should work. For further information on this have a look at PADL's website or their mailing list...

BTW: Your hack with objectClass account isn't very good. You should better create another auxiliary class which provides this attribute. You can get your own OID for this purpose at www.iana.org ("Application Forms" -> "Private Enterprise Numbers (SNMP)") for free.


Kuba Leszewski schrieb:

I just begin to play with Directory administrator application, and found
that it can limit access that different users have to different hosts.
I noticed that what it really does is adding attribute type 'host'
several times for each host to a user's entry.
Besides user's entry have to be objectClass 'account'. Since this is a
structural objectClass, I changed it to auxiliary, to avoid having two
structural objectClasses for each user entry (the other one is

Now, I'd like to use this functionality somehow, but I don't know how.
I have nss_ldap configured on one host (host_a.domain.com) , and this is
host is NOT listed in user's ldap entry  as host: host_A.domain.com, but
the user can still log into it, so I think it's not the way to do this.

I hope everything is clear.
The goal is to let/deny different users to log to different servers.

I only did something like this with routers. Users are authenticated in
radius, and radius, depending on the router's ip address lets user log
in or not. But it's the radius that chooses which ip is OK for each
user. LDAP is used only to check the password.