Hi,
I would like to control host access via groups/role? Has anyone done this?
If so, can you give me some pointers in the correct direction?
I've done my own research, but found that I need to allow more than one
group to log into a system. So, pam_groupdn is out of the question. The
other way of doing it would be to use SSH, but this involves a lot of
client configuration. The 3rd option would be to use a netgroup style in
389.
Please advice???
Thanks!
Show replies by date
On RedHat Linux I did this by adding an entry to /etc/security/access.conf to allow
certain groups to login.
Here's what mine looks like:
# grep -v ^# /etc/security/access.conf
+ : safull sagroup2 : ALL
- : saldap : ALL
Safull is the group that is allowed access to that server, I also put every LDAP users
into saldap so by default no ldap account has access to this server (unless in safull or
sagroup2).
You'll need to add a line something like this to system-auth (or module specific file
if you're using it):
account required pam_access.so
From: 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Gilbert Martin
Sent: Wednesday, February 15, 2012 5:31 PM
To: 389-users(a)lists.fedoraproject.org
Subject: [389-users] help - Host Access Based on Group Membership
Hi,
I would like to control host access via groups/role? Has anyone done this? If so, can you
give me some pointers in the correct direction?
I've done my own research, but found that I need to allow more than one group to log
into a system. So, pam_groupdn is out of the question. The other way of doing it would be
to use SSH, but this involves a lot of client configuration. The 3rd option would be to
use a netgroup style in 389.
Please advice???
Thanks!
________________________________
This communication, including any attached documentation, is intended only for the person
or entity to which it is addressed, and may contain confidential, personal and/or
privileged information. Any unauthorized disclosure, copying, or taking action on the
contents is strictly prohibited. If you have received this message in error, please
contact us immediately so we may correct our records. Please then delete or destroy the
original transmission and any subsequent reply.