[389-users] help - Host Access Based on Group Membership
Groten, Ryan
RGroten at ab.bluecross.ca
Thu Feb 16 15:12:38 UTC 2012
On RedHat Linux I did this by adding an entry to /etc/security/access.conf to allow certain groups to login.
Here's what mine looks like:
# grep -v ^# /etc/security/access.conf
+ : safull sagroup2 : ALL
- : saldap : ALL
Safull is the group that is allowed access to that server, I also put every LDAP users into saldap so by default no ldap account has access to this server (unless in safull or sagroup2).
You'll need to add a line something like this to system-auth (or module specific file if you're using it):
account required pam_access.so
From: 389-users-bounces at lists.fedoraproject.org [mailto:389-users-bounces at lists.fedoraproject.org] On Behalf Of Gilbert Martin
Sent: Wednesday, February 15, 2012 5:31 PM
To: 389-users at lists.fedoraproject.org
Subject: [389-users] help - Host Access Based on Group Membership
Hi,
I would like to control host access via groups/role? Has anyone done this? If so, can you give me some pointers in the correct direction?
I've done my own research, but found that I need to allow more than one group to log into a system. So, pam_groupdn is out of the question. The other way of doing it would be to use SSH, but this involves a lot of client configuration. The 3rd option would be to use a netgroup style in 389.
Please advice???
Thanks!
________________________________
This communication, including any attached documentation, is intended only for the person or entity to which it is addressed, and may contain confidential, personal and/or privileged information. Any unauthorized disclosure, copying, or taking action on the contents is strictly prohibited. If you have received this message in error, please contact us immediately so we may correct our records. Please then delete or destroy the original transmission and any subsequent reply.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120216/f43fe4ee/attachment.html>
More information about the 389-users
mailing list