[Date Prev][Date Next]
Re: Limiting finger lookup access on Linux
Thanks to everyone on this list that helped with this problem.
The answer (as with most answers) was in the documentation:
[from `man nss_ldap`]
Specify the search base, scope and filter to be used
I created a nss_base_passwd line looking like this:
it's dirty, but works until I upgrade to OpenLDAP 2.4 and can use the
memberOf= search filter.
This successfully limits the output of getent passwd to just the
users I want. It also limits the info that finger gives to just
Hope this helps someone else.
On Sep 16, 2009, at 1:49 AM, Gavin Henry wrote:
See the dynlist overlay: http://www.openldap.org/doc/admin24/overlays.html
On 15/09/2009, Rex Roof <firstname.lastname@example.org> wrote:
On Sep 15, 2009, at 10:41 AM, Howard Chu wrote:
Rex Roof wrote:
Yes, or a configuration for PAM that limits which users it provides
PAM doesn't return user information at all. This is strictly for
could also add a filter to nss-ldap's config file. Unfortunately the
straightforward filter (memberOf=<the group DN>) won't work with
memberof overlay. If your group was actually a dynamic group, then
use the same filter criteria that the dynamic group uses.
From what I can tell, nss_ldap and pam_ldap use the same config file
in centos, /etc/ldap.conf. So they both use the same proxy user?
What do you mean by dynamic group? I'm open to changing to some
Sent from my mobile device