ldap authorization

Nigel Wade nmw at ion.le.ac.uk
Fri Oct 12 09:01:05 UTC 2007

Troy Knabe wrote:
> No, I mean a groupOfUniqueNames.

I think that should be ok. You would need to use the "group" method.

For each host you will have to set the pam_groupdn to the DN of the 
entry for that host in the LDAP directory. The entry for a host should 
be of (or include) class groupOfUniqueNames. For each user who is 
allowed to login to the host you will have to add an attribute 
uniqueMember which is the DN (note: the DN) of the user.

In the system-auth you posted above there is no mention of pam_ldap.so. 
I don't know how kerberos and LDAP interact. In my setup I only use LDAP 
and pam_ldap is in the system-auth stack. As I understand it it is 
pam_ldap which is responsible for providing host based access, if it is 
not in the stack there probably won't be any host based access checking 
performed. I don't know how kerberos and LDAP interact so I can't say 
how to setup PAM to use both.

Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw at ion.le.ac.uk
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555

More information about the redhat-list mailing list