Hi On Thu, Mar 29, 2001 at 10:19:44PM +1000, Russell Coker wrote: > On Thursday 29 March 2001 18:08, Alexander Reelsen wrote: > > On Thu, Mar 29, 2001 at 10:03:39AM +1000, Russell Coker wrote: > > > So the question is, what attribute should I use? > > This is the minor question IMHO. > Not so minor if you want to avoid having your schema break other software you > may want to run in future... Yeah, of course. Having a clean LDAP tree and schema is mandatory.
> > > Another question is, does anyone have any other suggestions for doing > > > such things? > > I would like to do this as well. If you authenticate using PAM and wnat to > > exclude users from using ftpd and ssh, but still give them pop3/imap > > accounts it would be nice to have such a thing without using pam_listfile. > > I think the easiest way would be to patch pam_ldap to support some sort of > > query arg in the /etc/pam.d/service file. Like 'query="popd=allowed"' or > > similar. > Why not just make the shell /bin/false for when you want to stop ftp and ssh, > and make the shell /bin/true (and put /bin/true in /etc/shells) to allow ftp > but not ssh? This is the traditional method of doing such things and it > still works... That's not clean. And what you do with FTP and IMAP/POP? You don't need to have a shell for both, but you want to allow only one of those. Of course, yeah, I could have access lists for each of that service not stored in the LDAP tree, but looking up always elsewhere is quite a hassle. Or am I the only one who wants such a feature? That would amaze me... If there is the possibility to store and lookup some sort of "per-service" accesslist in the LDAP tree I would prefer that solution compared to the "hey, let's check what shell the user has" one. > I've replied to the list because I don't believe you wanted this discussion > to be private and I think others on the list will benefit. No problem. Accidentally hit r instead of "l". MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de [EMAIL PROTECTED] GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB [EMAIL PROTECTED] 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian: http://joker.rhwd.de/doc/Securing-Debian-HOWTO
