From owner-freebsd-questions@FreeBSD.ORG Tue May 19 17:40:05 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 80AF41065670 for ; Tue, 19 May 2009 17:40:05 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: from hal.rescomp.berkeley.edu (hal.Rescomp.Berkeley.EDU [169.229.70.150]) by mx1.freebsd.org (Postfix) with ESMTP id 6963B8FC14 for ; Tue, 19 May 2009 17:40:05 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: by hal.rescomp.berkeley.edu (Postfix, from userid 1225) id 97D323C0607; Tue, 19 May 2009 10:40:00 -0700 (PDT) Date: Tue, 19 May 2009 10:40:00 -0700 From: Chris Cowart To: "O. Hartmann" Message-ID: <20090519174000.GD49013@hal.rescomp.berkeley.edu> Mail-Followup-To: "O. Hartmann" , freebsd-questions@freebsd.org References: <49F56337.8040900@zedat.fu-berlin.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-ripemd160; protocol="application/pgp-signature"; boundary="cHMo6Wbp1wrKhbfi" Content-Disposition: inline In-Reply-To: <49F56337.8040900@zedat.fu-berlin.de> Organization: RSSP-IT, UC Berkeley User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-questions@freebsd.org Subject: Re: PAM/ldap_pam/NFSv4: How let users of a speicific group log into a specific box? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 May 2009 17:40:05 -0000 --cHMo6Wbp1wrKhbfi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [dropping -current from CC] O. Hartmann wrote: > A simple capability of selecting users into a specific group. Members of= =20 > such a group should then log into a set of specific hosts. > Infrastructure is FreeBSD 8.0-CURRENT/amd64 and some 7.2-STABLE boxes=20 > (acting as server) as well as OpenLDAP backend. [...] > Can anybody help or do have hints? >=20 > Please remember I do not belon g to the 'questions' list, so please put= =20 > me into your mail-cc. I use the pam_require module from ports for this purpose. | account sufficient /usr/local/lib/pam_require.so root @mygroup | account required /usr/local/lib/pam_ldap.so This allows the user root and members of mygroup to have accounts on the box. Control falls through to pam_ldap, which is configured with "pam_check_host_attr yes", which also grants accounts to any user with a matching "Host: " attribute in their entry.=20 If I have a machine mybox.example.com, and uid=3Dccowart,ou=3DPeople,dc=3Dexample,dc=3Dcom has the attribute: Host: mybox.example.com Then the user ccowart can login to the box without being in mygroup. Regardless of the host attributes, mygroup members can login. --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --cHMo6Wbp1wrKhbfi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (FreeBSD) iQIcBAEBAwAGBQJKEu7wAAoJEIGh6j3cHUNPehEP/jq++iuNxMrIGD9LAWj9F5o1 xkAwnL2uCS6jbQL2VLs3odoAMESXZUZ8c4LXcgUG0vChMU3H5zAac0y8ODP8bsis 2ZLTv9vlanhKKiiOgrE70ve2UdZ4t5s/aqy9HWWfK2F7kWirPkwvpsyxLLaefGGH IbeAJnMacOL07RNTK08m1v5EoVRlTRDV8TQfiKzCrf7UDBxVZJfciRg+1+FTcGqf OoBHwHUyM4/84NocJV6CoA9XQouIrBWNwqL+tko3UugakTaFgoV45Xw3ZRfYcPs+ zpNcTxvXF8NnMvBgKsPxoDzRALlRsIQaFmYmRqJ9TePPn2G2o+E93unM5OQ4l69+ +cXO2ENWXwpmzwu58Vadreh3eX/R/l3I+WyWS6owjp61OwV9jWLbwoBCeLLwQoWf bW22MnDRfvJBT3kuUuL17STD17/Upb/lK2DmN42+DYPwKKLGOAwGVamk6XJPJO4a QcChnPTuvKiBcToJWHbbFiLuLp04SGL0O2wDJ+btxFsjWA3uHyJM+4Z4BGuD+Mvs 05wdtB9nyBQY4MH4VEuuGJg8UM0TsB3kiYbHAKytaAFeWTuy50Mpt5O+oMbGCpia snN8gbROYoCviGiCY5LnDaSNgfUtZ0HnVGrlluxh/YMyexvxc3EaUKUZD8zvgKIc qeHEoenphkXwiH98FnHF =Xo/d -----END PGP SIGNATURE----- --cHMo6Wbp1wrKhbfi--