Re: pam ldap limit authentication
From: Jamie Beverly (jbeverly1_at_tampabay.rr.com)
Date: 08/02/05
- Next message: Bernd Felsche: "Re: Suse Linux: first Impression, Too Much Work"
- Previous message: Jamie Beverly: "Re: pam ldap limit authentication"
- In reply to: Jamie Beverly: "Re: pam ldap limit authentication"
- Next in thread: trevor_obba_at_yahoo.co.uk: "Re: pam ldap limit authentication"
- Reply: trevor_obba_at_yahoo.co.uk: "Re: pam ldap limit authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 02 Aug 2005 00:57:40 GMT
grrr... in the third option, you would limit =rx access to userPassword
only, everything else would need to be readable in order for the users
homeDirectory, uid, etc,etc.
Jamie Beverly wrote:
> there are several ways to accomplish this, since you asked about PAM last,
> I'll give that answer first.
>
> pam_listfile.so provides the ability to list account names, and in pam.d
> you may specify users, groups, etc and a "sense" which would be either
> allow or deny.
>
> something like this would permit only users in the list
> file /etc/valid_users:
> auth required pam_listfile.so item=user sense=allow
> file=/etc/valid_users onerr=fail
>
>
> Now, I believe another way you could accomplish this is with your
> ldap.conf. specify a filter on your nss_base_shadow only, but not the
> nss_base_passwd line.
>
> And thirdly, on your ldap server itself, you should be able to define an
> ACL that would only allow =rx to people in your admin group by
> peername=server.you.wish.to.restrict.access.to
>
> hope one of those is to your liking. Good luck.
>
>
>
> trevor_obba@yahoo.co.uk wrote:
>
>> I have a suse linux machine which authenticate users to ldap, this is
>> working fine. But I would like to limit users that logon to the
>> machines to just the system admins.
>> The machines hosts different web sites which users accessed from there
>> home directory like http://foo.mdx.ac.uk/~username
>>
>> At the monent my /etc/ldap.conf has
>> nss_base_passwd
>> o=mdx?sub?groupMembership=cn=linux_servers,ou=access-grou
>> ps,ou=UNIX,ou=services,ou=staff,o=mdx
>>
>> nss_base_shadow
>> o=mdx?sub?groupMembership=cn=linux_servers,ou=access-grou
>> ps,ou=UNIX,ou=services,ou=staff,o=mdx
>>
>> nss_base_group
>> ou=group,ou=sun.mdx.ac.uk,ou=nis,ou=services,ou=unix,ou=service
>> s,ou=staff,o=mdx?one
>>
>> I would like to limit authentication to cn=linux_admin but if I change
>> the above /etc/ldap.conf to cn=linux_admin users will not be able to
>> get there web site.
>>
>> Using PAM, how do I limit authentication to all services just to
>> cn=linux_admin, while normal user still be able to access there web
>> site through http://foo.mdx.ac.uk/~username
>>
>> Thanks
- Next message: Bernd Felsche: "Re: Suse Linux: first Impression, Too Much Work"
- Previous message: Jamie Beverly: "Re: pam ldap limit authentication"
- In reply to: Jamie Beverly: "Re: pam ldap limit authentication"
- Next in thread: trevor_obba_at_yahoo.co.uk: "Re: pam ldap limit authentication"
- Reply: trevor_obba_at_yahoo.co.uk: "Re: pam ldap limit authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
