[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Limiting finger lookup access on Linux

Thanks to everyone on this list that helped with this problem.
The answer (as with most answers) was in the documentation:

[from `man nss_ldap`]

       nss_base_<map> <basedn?scope?filter>
Specify the search base, scope and filter to be used for spe-
              cific  maps.

I created a nss_base_passwd line looking like this:

nss_base_passwd ou=Accountssub?|(uid=user1)(uid=user2)(uid=...

it's dirty, but works until I upgrade to OpenLDAP 2.4 and can use the memberOf= search filter.

This successfully limits the output of getent passwd to just the users I want. It also limits the info that finger gives to just those users.

Hope this helps someone else.

On Sep 16, 2009, at 1:49 AM, Gavin Henry wrote:

See the dynlist overlay: http://www.openldap.org/doc/admin24/overlays.html

On 15/09/2009, Rex Roof <rex@wccnet.edu> wrote:

On Sep 15, 2009, at 10:41 AM, Howard Chu wrote:

Rex Roof wrote:
Yes, or a configuration for PAM that limits which users it provides
information for.

PAM doesn't return user information at all. This is strictly for nss-
ldap. You
could also add a filter to nss-ldap's config file. Unfortunately the
straightforward filter (memberOf=<the group DN>) won't work with
memberof overlay. If your group was actually a dynamic group, then
you could
use the same filter criteria that the dynamic group uses.


From what I can tell, nss_ldap and pam_ldap use the same config file
in centos,  /etc/ldap.conf.  So they both use the same proxy user?

What do you mean by dynamic group? I'm open to changing to some other


Sent from my mobile device