Date: Tue, 19 May 2009 10:40:00 -0700 From: Chris Cowart <ccowart@rescomp.berkeley.edu> To: "O. Hartmann" <ohartman@zedat.fu-berlin.de> Cc: freebsd-questions@freebsd.org Subject: Re: PAM/ldap_pam/NFSv4: How let users of a speicific group log into a specific box? Message-ID: <20090519174000.GD49013@hal.rescomp.berkeley.edu> In-Reply-To: <49F56337.8040900@zedat.fu-berlin.de> References: <49F56337.8040900@zedat.fu-berlin.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--cHMo6Wbp1wrKhbfi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [dropping -current from CC] O. Hartmann wrote: > A simple capability of selecting users into a specific group. Members of= =20 > such a group should then log into a set of specific hosts. > Infrastructure is FreeBSD 8.0-CURRENT/amd64 and some 7.2-STABLE boxes=20 > (acting as server) as well as OpenLDAP backend. [...] > Can anybody help or do have hints? >=20 > Please remember I do not belon g to the 'questions' list, so please put= =20 > me into your mail-cc. I use the pam_require module from ports for this purpose. | account sufficient /usr/local/lib/pam_require.so root @mygroup | account required /usr/local/lib/pam_ldap.so This allows the user root and members of mygroup to have accounts on the box. Control falls through to pam_ldap, which is configured with "pam_check_host_attr yes", which also grants accounts to any user with a matching "Host: " attribute in their entry.=20 If I have a machine mybox.example.com, and uid=3Dccowart,ou=3DPeople,dc=3Dexample,dc=3Dcom has the attribute: Host: mybox.example.com Then the user ccowart can login to the box without being in mygroup. Regardless of the host attributes, mygroup members can login. --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --cHMo6Wbp1wrKhbfi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (FreeBSD) iQIcBAEBAwAGBQJKEu7wAAoJEIGh6j3cHUNPehEP/jq++iuNxMrIGD9LAWj9F5o1 xkAwnL2uCS6jbQL2VLs3odoAMESXZUZ8c4LXcgUG0vChMU3H5zAac0y8ODP8bsis 2ZLTv9vlanhKKiiOgrE70ve2UdZ4t5s/aqy9HWWfK2F7kWirPkwvpsyxLLaefGGH IbeAJnMacOL07RNTK08m1v5EoVRlTRDV8TQfiKzCrf7UDBxVZJfciRg+1+FTcGqf OoBHwHUyM4/84NocJV6CoA9XQouIrBWNwqL+tko3UugakTaFgoV45Xw3ZRfYcPs+ zpNcTxvXF8NnMvBgKsPxoDzRALlRsIQaFmYmRqJ9TePPn2G2o+E93unM5OQ4l69+ +cXO2ENWXwpmzwu58Vadreh3eX/R/l3I+WyWS6owjp61OwV9jWLbwoBCeLLwQoWf bW22MnDRfvJBT3kuUuL17STD17/Upb/lK2DmN42+DYPwKKLGOAwGVamk6XJPJO4a QcChnPTuvKiBcToJWHbbFiLuLp04SGL0O2wDJ+btxFsjWA3uHyJM+4Z4BGuD+Mvs 05wdtB9nyBQY4MH4VEuuGJg8UM0TsB3kiYbHAKytaAFeWTuy50Mpt5O+oMbGCpia snN8gbROYoCviGiCY5LnDaSNgfUtZ0HnVGrlluxh/YMyexvxc3EaUKUZD8zvgKIc qeHEoenphkXwiH98FnHF =Xo/d -----END PGP SIGNATURE----- --cHMo6Wbp1wrKhbfi--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090519174000.GD49013>