On Mon, 2014-03-03 at 22:05 +0100, Luca Capello wrote: > I was adding LDAP authentication against services (i.e. PADL's > pam_ldap's pam_check_service_attr) using the example in nslcd.conf.5: > > --8<---------------cut here---------------start------------->8--- > pam_authz_search FILTER > > For example, to check that the user has a proper > authorizedService value if the attribute is present (this almost > emulates the pam_check_service_attr option in PADL's pam_ldap): > > (&(objectClass=posixAccount)(uid=$username)\ > (|(authorizedService=$service)(!(authorizedService=*)))) > --8<---------------cut here---------------end--------------->8---
The description in manual page could be a little clearer but the example should allow the authorisation to continue if no authorizedService attribute is present and only check the attribute if it is present. I did some testing and it seems that this only works correctly if the attribute is known (at least in OpenLDAP's slapd): ldapsearch -h localhost -x -b 'ou=people,dc=test,dc=tld' \ '(&(objectClass=posixAccount)(!(title=*)))' uid returns all users without a title attribute but changing attribute to xtitle in the search filter returns no entries at all. If you want the attribute to be required, the filter should be: (&(objectClass=posixAccount)(uid=$username)(authorizedService=$service)) Hope this helps, -- -- arthur - [email protected] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
