PAM/ldap_pam/NFSv4: How let users of a speicific group log into a specific box?

[Chris Cowart]

[dropping -current from CC]

O. Hartmann wrote:
> A simple capability of selecting users into a specific group. Members of 
> such a group should then log into a set of specific hosts.
> Infrastructure is FreeBSD 8.0-CURRENT/amd64 and some 7.2-STABLE boxes 
> (acting as server) as well as OpenLDAP backend.
[...]
> Can anybody help or do have hints?
> 
> Please remember I do not belon g to the 'questions' list, so please put 
> me into your mail-cc.

I use the pam_require module from ports for this purpose.

| account     sufficient  /usr/local/lib/pam_require.so root @mygroup
| account     required    /usr/local/lib/pam_ldap.so

This allows the user root and members of mygroup to have accounts on the
box. Control falls through to pam_ldap, which is configured with
"pam_check_host_attr yes", which also grants accounts to any user with a
matching "Host: " attribute in their entry. 

If I have a machine mybox.example.com, and
uid=ccowart,ou=People,dc=example,dc=com has the attribute:
Host: mybox.example.com

Then the user ccowart can login to the box without being in mygroup.
Regardless of the host attributes, mygroup members can login.

-- 
Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090519/c4d4a43d/attachment.pgp