On 9/8/17 13:24, Mark Cave-Ayland wrote: > My weapon of choice for LDAP deployments on POSIX-based systems is > Arthur De Jong's nss-pam-ldapd (https://arthurdejong.org/nss-pam-ldapd) > which is far more flexible than pam_ldap and fixes a large number of > bugs, including the tendency for pam_ldap to hang infinitely if it can't > contact its LDAP server. > > Take a look at nss-pam-ldapd's man page for nslcd.conf and in particular > pam_authz_search - this is exactly the type of filters I would end up > deploying onto servers. This happens a lot in large organisations > whereby getting group memberships updated in the main directory can take > days/weeks whereas someone with root access to the server itself can > hard-code an authentication list of users and/or groups in an LDAP > filter in just a few minutes.
Thomas, would you consider using the placeholder syntax described at <https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5> under pam_authz_search? -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers