[Fedora-directory-users] Restricting Users Login Question
Jared B. Griffith
jared.griffith at farheap.com
Tue Nov 13 02:11:27 UTC 2007
I am setting up a Fedora Directory Server for use in our company. Our problem now is that any user that has a posix account (which it is necessary for every user to have a posix account due web applications and our heavy use of Linux machines) can log into machines we do not want them having access to (ie production web servers, gateways, firewalls, etc etc etc).
Yes, we could lock it down via sshd_config on the servers with the AllowUsers statement, but that would not prevent them from being able to log in on the local machine.
I have changed my ldap.conf on my linux / bsd machines to allow only the following:
pam_groupdn cn=syadmins,ou=IT,ou=Groups,dc=company,dc=tld
# Group member attribute
pam_member_attribute uniqueMember
This does and does not work. When logging into the server with a user that is not a member of that group, I get the following warning:
You must be a uniqueMember of cn=syadmins,ou=IT,ou=Groups,dc=company,dc=tld to login
But it logs me right in.
I have posted the full ldap.conf here:
http://pastebin.com/m11b0b227
Here is the shorter version (minus all commented out stuff)
http://pastebin.com/m26f9048d
Any help or pointers would be appreciated.
--
- Thank you,
- Jared B. Griffith
- Farheap Solutions, Inc.
- Lead Systems Administrator
- California IT Department
- Email - jared.griffith at farheap.com
- Phone - 949.417.1500 ext. 266
- Cell Phone - 949.910.6542
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20071112/b075cd3d/attachment.html>
More information about the 389-users
mailing list