[dropping -current from CC] O. Hartmann wrote: > A simple capability of selecting users into a specific group. Members of > such a group should then log into a set of specific hosts. > Infrastructure is FreeBSD 8.0-CURRENT/amd64 and some 7.2-STABLE boxes > (acting as server) as well as OpenLDAP backend. [...] > Can anybody help or do have hints? > > Please remember I do not belon g to the 'questions' list, so please put > me into your mail-cc.
I use the pam_require module from ports for this purpose. | account sufficient /usr/local/lib/pam_require.so root @mygroup | account required /usr/local/lib/pam_ldap.so This allows the user root and members of mygroup to have accounts on the box. Control falls through to pam_ldap, which is configured with "pam_check_host_attr yes", which also grants accounts to any user with a matching "Host: " attribute in their entry. If I have a machine mybox.example.com, and uid=ccowart,ou=People,dc=example,dc=com has the attribute: Host: mybox.example.com Then the user ccowart can login to the box without being in mygroup. Regardless of the host attributes, mygroup members can login. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley
Description: PGP signature