[389-users] Migrating to LDAP authentication
Steve Bernacki
fds at f.copacetic.net
Wed Feb 3 01:57:40 UTC 2010
On 2/2/2010 1:18 PM, Morris, Patrick wrote:
> [snip]
> We've found it a lot easier to manage than having to add an entry per
> host to user records, but then our servers tend to fall into
> easily-defined groups, which may not be the case for everyone, and the
> way we do it also relies on the only remote access to the box being over
> SSH.
> [snip]
>
Here's an interesting twist to the problem, while we're on the topic:
how about supporting searching of hostEntitlement as well as POSIX
groups, in that order? In my organization, we have many hosts that fall
into easily definable groups, but sometimes I'd like to give a user
access to just one host (or a list of individual hosts) rather than
giving them access to every host listed in a group. pam_check_host_attr
works for the former check, and pam_groupdn works for the latter, but
they cannot be used together. I don't think pam_filter can be used
here, since there's no way to substitute the DN being authenticated in
the search filter.
Any ideas?
Best regards,
Steve
--
Six year Pan-Mass Challenge veteran, and counting!
On August 7th and 8th 2010, I will be bicycling 192 miles to raise
money for the Dana Farber Cancer Institute. Please visit
http://sponsorsteve.com for more details!
More information about the 389-users
mailing list