[dropping -current from CC]

O. Hartmann wrote:
> A simple capability of selecting users into a specific group. Members of 
> such a group should then log into a set of specific hosts.
> Infrastructure is FreeBSD 8.0-CURRENT/amd64 and some 7.2-STABLE boxes 
> (acting as server) as well as OpenLDAP backend.
> Can anybody help or do have hints?
> Please remember I do not belon g to the 'questions' list, so please put 
> me into your mail-cc.

I use the pam_require module from ports for this purpose.

| account     sufficient  /usr/local/lib/pam_require.so root @mygroup
| account     required    /usr/local/lib/pam_ldap.so

This allows the user root and members of mygroup to have accounts on the
box. Control falls through to pam_ldap, which is configured with
"pam_check_host_attr yes", which also grants accounts to any user with a
matching "Host: " attribute in their entry. 

If I have a machine mybox.example.com, and
uid=ccowart,ou=People,dc=example,dc=com has the attribute:
Host: mybox.example.com

Then the user ccowart can login to the box without being in mygroup.
Regardless of the host attributes, mygroup members can login.

Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley

Attachment: pgpul6JU4wA7f.pgp
Description: PGP signature

Reply via email to