nmw at ion.le.ac.uk
Fri Oct 12 09:01:05 UTC 2007
Troy Knabe wrote:
> No, I mean a groupOfUniqueNames.
I think that should be ok. You would need to use the "group" method.
For each host you will have to set the pam_groupdn to the DN of the
entry for that host in the LDAP directory. The entry for a host should
be of (or include) class groupOfUniqueNames. For each user who is
allowed to login to the host you will have to add an attribute
uniqueMember which is the DN (note: the DN) of the user.
In the system-auth you posted above there is no mention of pam_ldap.so.
I don't know how kerberos and LDAP interact. In my setup I only use LDAP
and pam_ldap is in the system-auth stack. As I understand it it is
pam_ldap which is responsible for providing host based access, if it is
not in the stack there probably won't be any host based access checking
performed. I don't know how kerberos and LDAP interact so I can't say
how to setup PAM to use both.
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw at ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
More information about the redhat-list