Re: host attribute

[Christian Jung <Christian.Jung@wanadoo.fr>]

Hi Kuba!

You'll need pam_ldap to authenticate your users. In your ldap.conf - 
that one which is used by pam_ldap (e.g. /etc/ldap.conf or 
/etc/openldap/ldap.conf) you need to enable the checking. Insert the line

pam_check_host_attr yes

Now this should work. For further information on this have a look at 
PADL's website or their mailing list...

BTW: Your hack with objectClass account isn't very good. You should 
better create another auxiliary class which provides this attribute. You 
can get your own OID for this purpose at www.iana.org ("Application 
Forms" -> "Private Enterprise Numbers (SNMP)") for free.


Chris

Kuba Leszewski schrieb:
> Hi,
>
> I just begin to play with Directory administrator application, and found
> that it can limit access that different users have to different hosts.
> I noticed that what it really does is adding attribute type 'host'
> several times for each host to a user's entry.
> Besides user's entry have to be objectClass 'account'. Since this is a
> structural objectClass, I changed it to auxiliary, to avoid having two
> structural objectClasses for each user entry (the other one is
> inetOrgPerson).
>
> Now, I'd like to use this functionality somehow, but I don't know how.
> I have nss_ldap configured on one host (host_a.domain.com) , and this is
> host is NOT listed in user's ldap entry  as host: host_A.domain.com, but
> the user can still log into it, so I think it's not the way to do this.
>
> I hope everything is clear.
> The goal is to let/deny different users to log to different servers.
>
> I only did something like this with routers. Users are authenticated in
> radius, and radius, depending on the router's ip address lets user log
> in or not. But it's the radius that chooses which ip is OK for each
> user. LDAP is used only to check the password.
>
> Regards
> Kuba