[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Antwort: Re: sufficient account management checking for locally definedusers

>>>>> "Thomas" == thomas emde <thomas.emde@scaleon.de> writes:

    Thomas> I followed your discussion with interest but I have a very
    Thomas> practical problem. Is there any configuration of pam
    Thomas> (sshd) which allows me to have mixed local/ldap users
    Thomas> _with_ ldap users restricted to certain hosts using the
    Thomas> host attribute in ldap?

    Thomas> I am also using nss_ldap.

Yes.  The trick is to short-circuit when the user is local, and go to
pam_ldap otherwise:

  account    requisite    pam_unix.so
  account    sufficient   pam_local.so
  account    required     pam_ldap.so

* pam_unix doesn't need to be "requisite", but since you always expect
  it to succeed for a user in NSS, this probably isn't a bad idea.

* For pam_local.so, there was a thing called pam_local_acct_mgmt.so
  posted to the pamldap list.  Alternatively, there's a
  pam_localuser.so module in the incoming patch queue on SourceForge.
  Both just check that the user is defined in the local passwd file.

The first time I saw this solution it was posted to the pamldap list
by Paul Hilchey.  The Message-ID was <3CADFF71.3030708@ucs.ubc.ca>.

peace & happiness,

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []