[389-users] Migrating to LDAP authentication

Steve Bernacki fds at f.copacetic.net
Wed Feb 3 01:57:40 UTC 2010


On 2/2/2010 1:18 PM, Morris, Patrick wrote:
> [snip]
> We've found it a lot easier to manage than having to add an entry per
> host to user records, but then our servers tend to fall into
> easily-defined groups, which may not be the case for everyone, and the
> way we do it also relies on the only remote access to the box being over
> SSH.
> [snip]
>    

Here's an interesting twist to the problem, while we're on the topic: 
how about supporting searching of hostEntitlement as well as POSIX 
groups, in that order?  In my organization, we have many hosts that fall 
into easily definable groups, but sometimes I'd like to give a user 
access to just one host (or a list of individual hosts) rather than 
giving them access to every host listed in a group.  pam_check_host_attr 
works for the former check, and pam_groupdn works for the latter, but 
they cannot be used together.  I don't think pam_filter can be used 
here, since there's no way to substitute the DN being authenticated in 
the search filter.

Any ideas?

Best regards,
Steve

-- 
Six year Pan-Mass Challenge veteran, and counting!
On August 7th and 8th 2010, I will be bicycling 192 miles to raise
money for the Dana Farber Cancer Institute. Please visit
http://sponsorsteve.com for more details!




More information about the 389-users mailing list