Authorization Through PAM
Once a user has been authenticated, the account management features of the pam_ldap module provide two means of restricting access to a host, independent of any other PAM modules you may have specified in the configuration file (e.g., the pam_nologin module). Which method you choose depends on whether you wish to bind a host to a group of users or bind a user to a group of hosts.
One Host and a Group of Users
The first
authorization method,
in which you specify a group of users who are allowed to use a
particular host, ties into other information you have already
migrated into the directory. The host entry for a machine (generated
from /etc/hosts by the PADL migration scripts)
can be extended to include a list of DNs for users
(member
) that are authorized to log on using
pam_ldap. The following LDIF example shows how you can use the
extensibleObject
class to associate a group of
users with a host entry:
dn: cn=pogo,ou=hosts,dc=plainjoe,dc=org objectClass: ipHost objectClass: device objectClass: extensibleObject ipHostNumber: 192.168.1.75 cn: pogo.plainjoe.org cn: pogo member: uid=gcarter,ou=people,dc=plainjoe,dc=org member: uid=kristi,ou=people,dc=plainjoe,dc=org member: uid=deryck,ou=people,dc=plainjoe,dc=org
In order to configure pam_ldap to honor this group membership, the following two lines must be added to /etc/ldap.conf:
## Define the DN of the entry to contain the groupOfUniqueNames. pam_groupdn cn=pogo,ou=hosts,dc=plainjoe,dc=org ## Define the attribute ...
Get LDAP System Administration now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.