host based authetication with OpenLDAP and FreeBSD
ohartman at zedat.fu-berlin.de
Fri Nov 14 04:35:23 PST 2008
I have a OT question and maybe some of the FreeBSD server admins here
can help me out.
Our setup has several Linux and FreeBSD boxes, users are kept in
OpenLDAP without any further service like Kerberos V etc.
We have locally and personally administered workstations where the local
admin should decide whether a specific user can log in or not while
these machines are still bound to LDAP.
Also the centralized LDAP admin should be able to decide which users or
group of users can login to which group of hosts, this is the case with
our student's workstations which should be accessible from every user
belonging to the scientific staff and students, too, but students must
not login to workstations of the science staff.
Having nss_ldap and pam_ldap installed on every single FreeBSD
server/box which is capable of being accessed I found in etc/ldap.conf
the tags 'pam_filter' and 'pam_check_host_attr'. Setting latter to
'yes' implies having the 'host' attribute in each user's object located
in OpenLDAP's DIT for the specific domain. But objectClass=account seems
to conflict with objectClass=organizationalPeople which is a must in our
configuration, so the host attribute is not of any further investigation.
I tried to put users like 'students' in a special object of
objectClass=groupOfNames and put that object along with the ordinary
users in ou=users object and tried to use pam_filter
(&(objecClass=posixAccount)(objectClass=groupOfNames) ...) to find ANDed
matches of a user existing in the DIT AND exist in a special
groupOfNames-Object for a special set of hosts and name this object like
Well, I never had success with pam_filter due to the lack of knowledge
how to filter and how ldap is looking up attributes, but far more
important is: does this work in principle?
The big question at this moment is, whether it is possible to 'group'
login authentications/permissions via LDAP without the host attribute
and simply perform a separation via the standard tools
nss_ldap/pam_ldap/OpenLDAP as given.
Are there other techniques usabel with FreeBSD and OpenLDAP?
Well, I'm a little bit desperate at the moment, if someone has hints of
further readings in that subject, any hint or tip is welcome.
More information about the freebsd-questions