<html><head><style type='text/css'>body { font-family: 'Arial'; font-size: 8pt; color: #000000}</style></head><body>I am setting up a Fedora Directory Server for use in our company. Our problem now is that any user that has a posix account (which it is necessary for every user to have a posix account due web applications and our heavy use of Linux machines) can log into machines we do not want them having access to (ie production web servers, gateways, firewalls, etc etc etc). <br>Yes, we could lock it down via sshd_config on the servers with the AllowUsers statement, but that would not prevent them from being able to log in on the local machine.<br>I have changed my ldap.conf on my linux / bsd machines to allow only the following:<br><br>pam_groupdn cn=syadmins,ou=IT,ou=Groups,dc=company,dc=tld<br># Group member attribute<br>pam_member_attribute uniqueMember<br><br>This does and does not work. When logging into the server with a user that is not a member of that group, I get the following warning:<br>You must be a uniqueMember of cn=syadmins,ou=IT,ou=Groups,dc=company,dc=tld to login<br>But it logs me right in.<br>I have posted the full ldap.conf here:<br>http://pastebin.com/m11b0b227<br>Here is the shorter version (minus all commented out stuff)<br>http://pastebin.com/m26f9048d<br><br>Any help or pointers would be appreciated. <br><br><br><br>-- <br>- Thank you,<br>- Jared B. Griffith<br>- Farheap Solutions, Inc.<br>- Lead Systems Administrator<br>- California IT Department<br>- Email - jared.griffith@farheap.com<br>- Phone - 949.417.1500 ext. 266<br>- Cell Phone - 949.910.6542<br></body></html>