[389-users] Migrating to LDAP authentication
Edward Capriolo
edlinuxguru at gmail.com
Tue Feb 2 16:09:02 UTC 2010
On Tue, Feb 2, 2010 at 9:19 AM, Sean Carolan <scarolan at gmail.com> wrote:
> Wow, fast reply Muzzol!
>
>>> 2. If there are some users who only need access to a small number of
>>> servers, how would you handle that situation?
>> modify /etc/security/limits.conf to your needs
>
> What about /etc/security/access? Do you think this is the best way to
> accomplish this? Assume that I have several hundred servers, but need
> to grant temporary access to a developer on a few machines to look at
> some log files. It seems like overkill to change a file on all
> servers just to allow him access to one (or a few) servers.
>
>> i always create users in a default generic group, but that has nothing
>> to do with your error.
>>> id: cannot find name for group ID 5001
>> you probably have nsswitch.conf missconfigured.
>
> I assigned the gid on the LDAP server but it does not exist on the
> client machine. I have a script to be able to create private groups
> on all servers, was just curious how other people dealt with this
> situation. I may create a generic "operators" group for new users who
> need access to these systems, as you mentioned.
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
#2
a.there is also a setting in /etc/ldap.conf called pam_groupdn. This
lets you define an LDAP object with multiple membe attributes to
control who can login. I find it easy to use
b. SSH can be told to only accept logins from a posix group (same deal
just handled at a different part of the stack)
More information about the 389-users
mailing list