2010/11/19 Phuong Marie VUONG <mangocph...@gmail.com>: > Hello, > > First, im sorry about my English. I share here my experience which worked > for limit acces host/group of host for user... > > In the configuration of ldap client /etc/ldap.conf , i have activate the > host attribute and a filter in nss_base_passwd > pam_check_host_attr yes > nss_base_passwd > ou=People,dc=xxxxx,dc=xxxx?one?|(host=hostname.domain)(host=PatternofHostGroup)(host=*) > > In the user entry, add the host attribute > And in the host set, you can put the pattern value correpond of the level > that you want to authorize to connect , for exe : > hostname.domain > or > PatternofHostGroup > or > * > > Hope that can help > > > 2010/11/19 c0re <nr1c...@gmail.com> >> >> can you give an example of usage pam_check_host_attr? >> >> And how can I use group of hosts and assign user to this group to >> permit access user to this group avoiding enumerating hosts in users >> dn each time I add new user? >> >> What should I set in "host:"? Hostname of server? How host attr are >> sent to pam_ldap? >> >> 2010/11/18 Aaron Richton <rich...@nbcs.rutgers.edu>: >> > On Thu, 18 Nov 2010, c0re wrote: >> > >> >> I mean user user1 can must login only on server1,server2 and server3. >> >> And user2 can login only on server5 and server2. >> > >> > You could probably overload almost anything (dyngroups, OpenLDAP ACLs, >> > search filters, who knows) to accomplish this, but the cleanest way to >> > do >> > this in pam_ldap would utilize pam_check_host_attr. I assume pam_ldap >> > because you mentioned "pam_groupdn" which is not an OpenLDAP >> > configuration >> > directive. >> > > > > > -- > Milan&Phuong > 06.17.34.09.77 > 09.53.57.04.94 > http://www.phuong.fr/photos/ > > > I moved a bit different way.
I used pam_groupdn in ldap.conf and created a group for each server. Now if I add user to ldap, I need to add to groups "memberUid: `userdn`". And user will be able to login to those servers in which groups is user as a member. But if I got 100-200 servers and want to give access to new user to all this servers, I should add user to all groups. Of course it's a waste of time and it's possible to be done via some external shell/perl script, but may be there another way in openldap? pam_check_host_attr do almost same. If I add user - I need to add all hosts to user attr "host:". So it's same work I think.