PAM/ldap_pam/NFSv4: How let users of a speicific group log into a
specific box?
O. Hartmann
ohartman at zedat.fu-berlin.de
Mon Apr 27 07:49:31 UTC 2009
Hello.
I run into a specific problem and for several months of experiments I
havn't found a solution, yet.
This is what I wish to get and need:
A simple capability of selecting users into a specific group. Members of
such a group should then log into a set of specific hosts.
Infrastructure is FreeBSD 8.0-CURRENT/amd64 and some 7.2-STABLE boxes
(acting as server) as well as OpenLDAP backend.
Authentication on boxes is done via PAM/ldap_pam. But it is on FreeBSD's
side a vanilla configuration, not very sophisticated. Users autheticate
and authorize against an OpenLDAP server residing on another box.
pam_ldap in its most recent ports-version offers, as the manpage claims,
a facility enabling group logins (resides in /usr/local/etc/ldap.conf):
# Group to enforce membership of
pam_groupdn cn=mygroup,ou=groups,dc=foo,dc=org?sub
# Group member attribute
#pam_member_attribute uniqueMember
pam_member_attribute memberUid
Within the DIT of the OpenLDAP server ou=groups exists and contains also
a group called 'mygroup' with a multi-value attribute (as required), in
this case memberUid.
Using pam_ldap.so as a 'required' module is not appreciated, so there
seems a problem to me with the stack order - should say: I need a LDAP
solution. pam_group doesn't work for me:
auth required/requisite pam_group.so no_warn group=mygroup
Can anybody help or do have hints?
Please remember I do not belon g to the 'questions' list, so please put
me into your mail-cc.
Regards,
Oliver
More information about the freebsd-current
mailing list