[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Limiting finger lookup access on Linux

Rex Roof wrote:
Yes, or a configuration for PAM that limits which users it provides
information for.

PAM doesn't return user information at all. This is strictly for nss-ldap. You could also add a filter to nss-ldap's config file. Unfortunately the most straightforward filter (memberOf=<the group DN>) won't work with OpenLDAP's memberof overlay. If your group was actually a dynamic group, then you could use the same filter criteria that the dynamic group uses.


On Sep 12, 2009, at 9:17 PM, Howard Chu wrote:

Brett @Google wrote:
On Sat, Sep 12, 2009 at 1:08 AM, Rex Roof<rex@wccnet.edu
<mailto:rex@wccnet.edu>>  wrote:

    I have some linux machines that I have configured for student
    access.  We are authenticating against our OpenLDAP tree and
    limiting which users have access via an LDAP groupOfNames.  This
    all working perfectly.

    This is the problem I am having.   Any user with access to the
    system can run the /usr/bin/finger command and do a name search
    against our entire LDAP tree.   I would like to limit the info
    available via finger to just the users that have access to any
    particular machine.   How can this be controlled?

This sounds more like a firewall / iptables issue to your finger
than anything else ?

No, doesn't sound like that to me.

Essentially he wants an ACL that grants access to nss-ldap searches
based on
the target entries belonging to a group associated with a particular
But at the moment, I can't think of any mechanism to do this in the
ACL engine.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/