[plug] PAM/LDAP
Padraig MacIain
draoidh at iinet.net.au
Tue May 16 15:01:05 WST 2006
On Tue, May 16, 2006 at 12:46:07PM +0800, Patrick Coleman wrote:
> Hi,
> I've been setting up LDAP recently across some servers of mine. Both
> are debian stable.
>
> server one is a shell server, and users can login to it using SSH. It
> has been configured to use a LDAP backend (on another server, 'server
> three') and everything appears to be working great (after much tearing
> of hair and gnashing of teeth on my part) - users can login, change
> their passwords etc.
>
> server two provides various services to support server one, such as
> NFS home directories, but only admin users should have shell accounts
> on it. I have configured it the same as server one, and it works, but
> my problem is access control - I want to be able to limit SSH access
> to a subset of users, specifically everyone in 'wheel'.
>
> There are various options in /etc/pam_ldap.conf that look like they do
> exactly what I want - pam_filter, pam_check_host_attr and pam_groupdn
> - but none of these appears to do anything. I'm thinking that perhaps
> it may be something to do with my /etc/pam.d config.
>
> Has anyone done a similar sort of setup? I might also try the openldap
> mailing lists, and I'll post here if I get any solutions.
>
You might want to use a pam_filter line in your pam_ldap.conf file
something like
pam_filter (groupSpecial=wheel)
or something equally as far as an LDAP schema goes. This'll make pam_ldap
only accept once the filter is passed (as well as really authenticating)
Padraig // www.nimheil.org
More information about the plug
mailing list