pam_ldap, host and authorizedService

[mdnteo]

Hello!

I've got a question about pam_ldap with the attributes "host" and
"authorizedService" stored in LDAP.
Is there a way to limit users to login to specific hosts only through a
defined service?

I set in /etc/ldap.conf

pam_check_host_attr yes
pam_check_service_attr  yes

I try to use authorizedService and it works fine if I define a service, but
I want to define something like "service at host"
I set in my LDAP the schemas about

If I have user "USER1" and 2 hosts "SERVER1, SERVER2". I want to grant
access through ssh for user USER1 only to SERVER1 and FTP only to SERVER2,
but it is not working if I set in LDAP something like this:
--------------------------------------------------------------------------------------------
dn: cn=user1,ou=People,dc=altavista,dc=local
....
....
uidNumber: 1004
gidNumber: 508
homeDirectory: /home/user1
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: hostObject
loginShell: /bin/bash
host: *
authorizedService: sshd at server1
authorizedService: ftp at server2
--------------------------------------------------------------------------------------------

Access is granted both through ftp and ssh, but on both servers, if I set
this:
--------------------------------------------------------------------------------------------
.....
host: *
authorizedService: sshd
authorizedService: ftp
....
--------------------------------------------------------------------------------------------

How can I manage  login to specific hosts only through a defined service, do
I need to patch pam_ldap? http://bugzilla.padl.com/show_bug.cgi?id=295

best regards
M.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080407/5fced350/attachment.htm>