Re: Newbie question about host base authentication

[anax <anax@ayni.com>]

if you are using pam-ldap, then its even easier than you think, i.e. its 
included in pam-ldap:

in the ldap directory create entries like or similar:

uid=ldap-host,ou=People,ou=pam-ldap,dc=mydomain,dc=com
cn: ldap-host
gidNumber: 102
homeDirectory: /home/ldap-host
host: vidigal.mydomain.com
loginShell: /bin/bash
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 11146
shadowMax: 99999
shadowWarning: 7
uid: ldap-host
uidNumber: 1038
userPassword: youonlyknowit

where the important attribute is host.

Then, in the ldap.conf file, where you tell pam-ldap, which ldap 
parameters to use, add the following line:

pam_check_host_attr yes

Then, in the corresponding pam-ldap file, add the following two entries:

account required pam_ldap.so debug
account required pam_unix_acct.so

(check to see, if you have the respecitve module installed in your 
pam-ldap module direcotory).

And then, by magic, users will be allowed only on the specified host, in 
this case on vidigal.mydomain.com

suomi





On 2012-10-29 13:23, Simone Scremin wrote:
> Hi all,
> I'm in the process of learning the OpenLDAP authentication mechanics.
> I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
>
> In example:
>
> user Bob needs to authenticate on systems:
>
> sys01pra
> sys02pre
> sys03pra
> sys03pre
>
> some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
>
> sys0*pr*
>
> Is it feasable?
>
> Thanks
>
> Simone