pam_krb5/ldap access control with Active Directory
Yu Wang
yuwang at cs.fsu.edu
Thu Sep 28 17:59:14 UTC 2006
I use pam_access. Put user/group names you would like them to login to
your server in the server's /etc/security/access.conf file (Linux).
As to your listed situation:
Server1:
-:ALL EXCEPT root A B C:ALL
Server2:
-:ALL EXCEPT root A:ALL
Server3:
-:ALL EXCEPT root A C:ALL
Note: your group name should not contain white space (something like
Group A may cause problem).
Make sure pam_access.so is included in your pam configuration stack and
use "required".
You can use pam_require too. It takes user and group names as arguments
and not as granular as pam_access.
Yu
-----Original Message-----
From: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com]
On Behalf Of Scott Ruckh
Sent: Thursday, September 14, 2006 3:23 PM
To: pam-list at redhat.com
Subject: pam_krb5/ldap access control with Active Directory
How do you control access?
For example, say you have 3 groups (A, B, and C). Users of Group A
should have access to all servers, Group B should have access to only a
few servers, and Group C will have access to a few servers.
Obviously each server's ldap.conf file could contain configurations
using
different AD containers to limit access, but how would you handle access
for the below situation?
Severs: Groups that have access
Server 1: Group A, Group B, and Group C
Server 2: Group A
Server 3: Group A and Group C
Thanks.
--
Scott
_______________________________________________
Pam-list mailing list
Pam-list at redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
More information about the Pam-list
mailing list