pam_krb5/ldap access control with Active Directory
Scott Ruckh
sruckh at gemneye.org
Thu Sep 28 19:10:57 UTC 2006
This is what you said Yu Wang
> I use pam_access. Put user/group names you would like them to login to
> your server in the server's /etc/security/access.conf file (Linux).
>
> As to your listed situation:
>
> Server1:
> -:ALL EXCEPT root A B C:ALL
> Server2:
> -:ALL EXCEPT root A:ALL
> Server3:
> -:ALL EXCEPT root A C:ALL
> Note: your group name should not contain white space (something like
> Group A may cause problem).
>
> Make sure pam_access.so is included in your pam configuration stack and
> use "required".
>
> You can use pam_require too. It takes user and group names as arguments
> and not as granular as pam_access.
>
> Yu
>
>
>
> -----Original Message-----
> From: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com]
> On Behalf Of Scott Ruckh
> Sent: Thursday, September 14, 2006 3:23 PM
> To: pam-list at redhat.com
> Subject: pam_krb5/ldap access control with Active Directory
>
> How do you control access?
>
> For example, say you have 3 groups (A, B, and C). Users of Group A
> should have access to all servers, Group B should have access to only a
> few servers, and Group C will have access to a few servers.
>
> Obviously each server's ldap.conf file could contain configurations
> using
> different AD containers to limit access, but how would you handle access
> for the below situation?
>
> Severs: Groups that have access
>
> Server 1: Group A, Group B, and Group C
> Server 2: Group A
> Server 3: Group A and Group C
>
> Thanks.
> --
> Scott
>
Thanks for the reply, I will have to give this a try. I am already using
pam_access but did not put the two peices of the puzzle together.
The example given above was truly artificial, so group names will not be a
problem.
I appreciate your input, and your documentation.
Scott
More information about the Pam-list
mailing list