host based authetication with OpenLDAP and FreeBSD

O. Hartmann ohartman at
Fri Nov 14 04:35:23 PST 2008

I have a OT question and maybe some of the FreeBSD server admins here 
can help me out.

Our setup has several Linux and FreeBSD boxes, users are kept in 
OpenLDAP without any further service like Kerberos V etc.

The situation(s):

We have locally and personally administered workstations where the local 
admin should decide whether a specific user can log in or not while 
these machines are still bound to LDAP.

Also the centralized LDAP admin should be able to decide which users or 
group of users can login to which group of hosts, this is the case with 
our student's workstations which should be accessible from every user 
belonging to the scientific staff and students, too, but students must 
not login to workstations of the science staff.

Having nss_ldap and pam_ldap installed on every single FreeBSD 
server/box which is capable of being accessed I found in etc/ldap.conf 
the tags 'pam_filter' and  'pam_check_host_attr'. Setting latter to 
'yes' implies having the 'host' attribute in each user's object located 
in OpenLDAP's DIT for the specific domain. But objectClass=account seems 
to conflict with objectClass=organizationalPeople which is a must in our 
configuration, so the host attribute is not of any further investigation.

I tried to put users like 'students' in a special object of 
objectClass=groupOfNames and put that object along with the ordinary 
users in ou=users object and tried to use pam_filter 
(&(objecClass=posixAccount)(objectClass=groupOfNames) ...) to find ANDed 
matches of a user existing in the DIT AND exist in a special 
groupOfNames-Object for a special set of hosts and name this object like 

dn: cn=logonGrpCASSINI,ou=users,dc=foo
cn: logonGrpCASSINI
objectClass: groupOfNames
objectClass: top
member: uid=...
member: uid=...

Well, I never had success with pam_filter due to the lack of knowledge 
how to filter and how ldap is looking up attributes, but far more 
important is: does this work in principle?

The big question at this moment is, whether it is possible to 'group' 
login authentications/permissions via LDAP without the host attribute 
and simply perform a separation via the standard tools 
nss_ldap/pam_ldap/OpenLDAP as given.

Are there other techniques usabel with FreeBSD and OpenLDAP?

Well, I'm a little bit desperate at the moment, if someone has hints of 
further readings in that subject, any hint or tip is welcome.


More information about the freebsd-questions mailing list