On 7/10/2012 2:53 PM, Jerry Feldman wrote:
I don't know LDAP that well so I am looking for an LDAP solution that
will permit certain users to use certain systems.
I use PAM.
The way I do it is to create an LDAP group for each role. Each limited
access node gets a file /etc/login.groups with root, wheel and the
permitted roles. I use the pam_listfile module to compare group
memberships of attempted logins with the the login.groups file.
A variant is to create an LDAP group corresponding to each node name.
Add users who require access to a node to the associated group. Use a
PAM module to check group membership against the local host name and
reject logins that don't match.
Substitute your directory of choice for LDAP. Anything that lets you
manage group memberships will work.
--
Rich P.
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss
