[Date Prev][Date Next]
Re: Limiting finger lookup access on Linux
On Sep 15, 2009, at 9:15 AM, Jonathan Clarke wrote:
On 15/09/2009 14:31, Roof,Rex wrote:
On Sep 14, 2009, at 5:21 PM, Buchan Milne wrote:
On Friday, 11 September 2009 16:08:17 Rex Roof wrote:
I have some linux machines that I have configured for student
We are authenticating against our OpenLDAP tree and limiting which
users have access via an LDAP groupOfNames.
At the PAM level.
This is all working
This is the problem I am having. Any user with access to the
can run the /usr/bin/finger command and do a name search against
entire LDAP tree. I would like to limit the info available via
finger to just the users that have access to any particular
What about the standard user information available via 'getent
How can this be controlled?
If you are referring to the same information as in 'getent passwd',
problem is whether you need the OS to be able to resolve UIDs to
the users who should not have access. After that, worry about (the
information via) finger ...
Yes! 'getent passwd' returns all of the 100,000 entries in my LDAP
tree, I'd rather it returned the 30 or so users that have access to
the particular machine plus whatever is in /etc/passwd.
Is it possible to do this? Perhaps via a PAM configuration?
If I understand correctly, you're enforcing access to this machine by
telling PAM to allow only a given group, presumably via an option in
pam_ldap.conf like "pam_groupdn cn=yourgroupe,dc=etc".
But, NSS (and therefore finger), is still seeing all users in the
directory, and not only the ones from that group?
One solution would be to configure your libnss-ldap to use a binddn to
connect to the LDAP server, and set up ACLs so that that binddn only
access to users from that group.
Could I craft an ACL for my proxy user, "cn=UNIX Auth,ou=Utility", so
that it only has access to objects that are in any group matching the
pattern "cn=machine [^,]+,ou=Group"? (I've made groups for each unix
machine in the form of "cn=machine hostname,ou=group")
Currently the "cn=UNIX Auth,ou=Utility" proxy user is in the group
"cn=authdaemon,ou=group", which I've given read access to most of the