Vince Rafale wrote:
Howard Chu wrote :Buchan Milne wrote:On Sunday 26 April 2009 14:34:00 Vince Rafale wrote:Hi list, I would like to know whether anybody has succeeded in using the memberof overlay for others attributes. I would like a user entry (specifically the host attribute) to be populated when a user is added to a posixGroup. Let's say this posixGroup contains a "hostOfGroup" attribute. Is it feasible? Or do I need to code my own overlay for that purpose? If writing an overlay is not needed, is there an esaier way to do that?Sounds like there may be other solutions to your real problem ... e.g. pam_listfile with item=group sense=allowOr use the PAM support in the nssov overlay. Setting a user's host attribute to control logins is ridiculous...Ok for that overlay. Have you got any tutorial on the use of that overlay? If not, could you please provide some more details on the configuration for that overlay that could suit my need?
http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/nssov/slapo-nssov.5The relevant point is to create ipHost entries for each host that you want to control logins on, and set the authorizedService attribute to the set of PAM services you want to allow (e.g., login, sshd, gdm, whatever). Then set ACLs on the authorizedService attribute - this will then control what users the nssov overlay allows to login to the given service on a given host. This gives you the full power of the slapd ACL engine, instead of just the 2-3 limited options that the old pam_ldap module provides.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/