[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pam_ldap, host and authorizedService



Hello!

I've got a question about pam_ldap with the attributes "host" and "authorizedService" stored in LDAP.
Is there a way to limit users to login to specific hosts only through a defined service?

I set in /etc/ldap.conf

pam_check_host_attr yes
pam_check_service_attr  yes

I try to use authorizedService and it works fine if I define a service, but I want to define something like "service host"
I set in my LDAP the schemas about

If I have user "USER1" and 2 hosts "SERVER1, SERVER2". I want to grant access through ssh for user USER1 only to SERVER1 and FTP only to SERVER2, but it is not working if I set in LDAP something like this:
--------------------------------------------------------------------------------------------
dn: cn=user1,ou=People,dc=altavista,dc=local
....
....
uidNumber: 1004
gidNumber: 508
homeDirectory: /home/user1
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: hostObject
loginShell: /bin/bash
host: *
authorizedService: sshd server1
authorizedService: ftp server2
--------------------------------------------------------------------------------------------

Access is granted both through ftp and ssh, but on both servers, if I set this:
--------------------------------------------------------------------------------------------
.....
host: *
authorizedService: sshd
authorizedService: ftp
....
--------------------------------------------------------------------------------------------

How can I manage  login to specific hosts only through a defined service, do I need to patch pam_ldap? http://bugzilla.padl.com/show_bug.cgi?id=295

best regards
M.











[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]