[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam and ldap

On Thu, 18 Sep 2003, Kevin Reck wrote:

> I've been trying to switch servers from using system accounts to use
> LDAP for authentication, which I can successfully do, but the problem is
> it seems to be an all or nothing type of switch.
> Well here's what I want to do, but I am not sure how to do it.
> On one particular server I want to only allow login by people in the
> group "allow_login", but also allow authenticated relay on this machine
> to anybody in the ldap tree.  The problem is though, if I limit by group
> only people in that group can log in and relay; and if I include
> everybody in that group, then everybody can login and relay
> Is there a a way I can tell the smtp pam.d entry to use separate rules
> then the system-auth?
> Any other suggestions if pam cannot do this yet?

I have set up a couple of machines to authenticate against LDAP.  These
were Debian Woody machines, and so did not have system-auth.  But, the
mail server only allowed ldap for pop and imap.  Only local users (admins)
could get a shell.

We didn't use SMTP auth, and I don't know if the mail server supported
SMTP auth through PAM or not.  If it did, though, I think I could have
restricted it to a certain group with pam_listfile (the group has to be
local, either /etc/group or with nssw).  As far as I know, there's no way
of directly (with options on the line in the pam config file) telling PAM
to only try to authenticate for users in certain groups.

Otherwise, the mail server probably supports authentication directly
against the LDAP server, and you can specify exactly what criteria you're
looking for, including group membership.

Restricting by recipient is a different topic entirely, and specific to
the mail server.

Marshal Newrock, unemployed Linux user in Lansing, MI
Caution: Product will be hot after heating

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]