PAM/ldap_pam/NFSv4: How let users of a speicific group log
into a specific box?
Chris Cowart
ccowart at rescomp.berkeley.edu
Tue May 19 17:40:05 UTC 2009
[dropping -current from CC]
O. Hartmann wrote:
> A simple capability of selecting users into a specific group. Members of
> such a group should then log into a set of specific hosts.
> Infrastructure is FreeBSD 8.0-CURRENT/amd64 and some 7.2-STABLE boxes
> (acting as server) as well as OpenLDAP backend.
[...]
> Can anybody help or do have hints?
>
> Please remember I do not belon g to the 'questions' list, so please put
> me into your mail-cc.
I use the pam_require module from ports for this purpose.
| account sufficient /usr/local/lib/pam_require.so root @mygroup
| account required /usr/local/lib/pam_ldap.so
This allows the user root and members of mygroup to have accounts on the
box. Control falls through to pam_ldap, which is configured with
"pam_check_host_attr yes", which also grants accounts to any user with a
matching "Host: " attribute in their entry.
If I have a machine mybox.example.com, and
uid=ccowart,ou=People,dc=example,dc=com has the attribute:
Host: mybox.example.com
Then the user ccowart can login to the box without being in mygroup.
Regardless of the host attributes, mygroup members can login.
--
Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090519/c4d4a43d/attachment.pgp
More information about the freebsd-questions
mailing list