[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using OpenLDAP with multiple servers to authenticate

To: m g <georwell2000@yahoo.com>, openldap-software@OpenLDAP.org
Subject: Re: Using OpenLDAP with multiple servers to authenticate
From: Christian Mayrhuber <christian@osiris.at>
Date: Tue, 11 Sep 2001 11:54:52 +0200
References: <20010910191422.52300.qmail@web20407.mail.yahoo.com>

m g wrote:
> 
> Hey all,
> 
> I am currently using openldap for authenticating users
> on multiple servers.  Some users are allowed access on
> all the servers and some are allowed access to only on
> a few.  My question is what is the best way to set up
> the authentication process to check which server they
> are trying to login to and if they are allowed to
> logon to that server.

There is a "host" attribute in the objectclass account, defined
in cosine.schema.
You can put as many host attributes as you want in an account
entry, to allow users access to as many hosts as you want.
You need to configure pam_ldap to require a host attribute on
authentication.

For example:
------------
A server called "fileserver" allows only logins
for users which have a host=fileserver attribute.

To achieve this put this line in /etc/pam_ldap.conf:

pam_filter host=fileserver

Unless you are using a new enough version of pam_ldap
which supports the pam_filter directive you should be done.
-- 
WfG, Chris

References:
- Using OpenLDAP with multiple servers to authenticate
  - From: m g <georwell2000@yahoo.com>

Prev by Date: Re: slurpd (1.2.11) replication problem
Next by Date: Re: Resources - ldap VERY slow
Index(es):
- Chronological
- Thread