[Date Prev][Date Next]
Re: Limiting finger lookup access on Linux
Rex Roof wrote:
Yes, or a configuration for PAM that limits which users it provides
PAM doesn't return user information at all. This is strictly for nss-ldap. You
could also add a filter to nss-ldap's config file. Unfortunately the most
straightforward filter (memberOf=<the group DN>) won't work with OpenLDAP's
memberof overlay. If your group was actually a dynamic group, then you could
use the same filter criteria that the dynamic group uses.
On Sep 12, 2009, at 9:17 PM, Howard Chu wrote:
Brett @Google wrote:
On Sat, Sep 12, 2009 at 1:08 AM, Rex Roof<email@example.com
I have some linux machines that I have configured for student
access. We are authenticating against our OpenLDAP tree and
limiting which users have access via an LDAP groupOfNames. This
all working perfectly.
This is the problem I am having. Any user with access to the
system can run the /usr/bin/finger command and do a name search
against our entire LDAP tree. I would like to limit the info
available via finger to just the users that have access to any
particular machine. How can this be controlled?
This sounds more like a firewall / iptables issue to your finger
than anything else ?
No, doesn't sound like that to me.
Essentially he wants an ACL that grants access to nss-ldap searches
the target entries belonging to a group associated with a particular
But at the moment, I can't think of any mechanism to do this in the
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/