[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Host attribute

I have found it.  On line 1169 of pam_ldap.c
in the _host_ok function, there is a comparison
to see if the current host is one of the ones
allowed by the users' host(account) attribute.
If it exists.

If I have one or more host values, then I
must have the host value of the machine I'm
logging into.  If I have no host values then
the check is bypassed and I can log onto
any machine.  This check is done above and
beyond what is in the ldap.conf filter.
i.e. the filter I have below is redundant if
I have any host valued on my LDAP record.

However, if I leave the filter off (I didn't
seem to need it) I've opened the box up to
anyone who doesn't have any host values at all.

Am I missing something?  It seems the only 
way to alter this behavior is to edit the
source code.

Thanks for any info,

-----Original Message-----
From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On
Behalf Of Kelli
Sent: Tuesday, April 17, 2001 1:32 PM
To: pam-list@redhat.com
Subject: Host attribute

Hi all,

I have several Linux boxes (Mandrake 7.2)
authenticating against Netscape's LDAP 4.12.
This has been working well but I want to
change the use of the pam_filter.  I have:

pam_filter &(objectclass=posixaccount) (host=my.box.net)

in the ldap.conf file, where the host
equals the local box name.  Users then 
need to have host=my.box.net as an
attribute of the account object class.

I found that if I comment out the pam_filter,
I still get the same results as when the
line was there.  i.e. the user cannot login
unless he has the host attribute to match
the box.  Do I need to restart something?  

Does anyone know what else would be doing
this host check?

Thank you everyone,

Pam-list mailing list

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []