[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Limiting finger lookup access on Linux

To: openldap-technical@openldap.org
Subject: Re: Limiting finger lookup access on Linux
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Mon, 14 Sep 2009 22:21:07 +0100
Cc: Rex Roof <rex@wccnet.edu>
Content-disposition: inline
In-reply-to: <E73FB1AD-AF59-4C15-8D23-02757FA832D1@wccnet.edu>
References: <E73FB1AD-AF59-4C15-8D23-02757FA832D1@wccnet.edu>
User-agent: KMail/1.11.4 (Linux/2.6.27.23-xen-3.4.0-1mdv; KDE/4.2.4; x86_64; ; )

On Friday, 11 September 2009 16:08:17 Rex Roof wrote:
> I have some linux machines that I have configured for student access.
> We are authenticating against our OpenLDAP tree and limiting which
> users have access via an LDAP groupOfNames.

At the PAM level.

> This is all working
> perfectly.
>
> This is the problem I am having.   Any user with access to the system
> can run the /usr/bin/finger command and do a name search against our
> entire LDAP tree.   I would like to limit the info available via
> finger to just the users that have access to any particular machine.

What about the standard user information available via 'getent passwd' ?

> How can this be controlled?

If you are referring to the same information as in 'getent passwd', your first 
problem is whether you need the OS to be able to resolve UIDs to usernames for 
the users who should not have access. After that, worry about (the same 
information via) finger ...

Regards,
Buchan

Follow-Ups:
- Re: Limiting finger lookup access on Linux
  - From: "Roof,Rex" <Rex@wccnet.edu>

References:
- Limiting finger lookup access on Linux
  - From: Rex Roof <rex@wccnet.edu>

Prev by Date: Re: ldapsearch hangs
Next by Date: Re: connections falling short
Index(es):
- Chronological
- Thread