On Fri, Sep 16, 2011 at 04:42:11PM -0400, Dmitri Pal wrote: > On 09/16/2011 11:19 AM, Johan Sunnerstig wrote: > Right now I have nss-pam-ldapd > ([1]http://arthurdejong.org/nss-pam-ldapd/) and the MIT-based krb > software that's included in Debian 6 working decently. By that I mean I > can use it to allow logins as expected, but so far I haven't worked out > allowing or disallowing login based on group membership. [snip] > I really just need group based logins, sudo controls I can handle based > on groups with Puppet, but again, if the real client route isn't too > much work that's of course preferable.
Well, it may not be the most elegant option, but if you turn on the compat plugin (with ipa-compat-manage), the plugin will "flatten" the groups and show the results under cn=groups,cn=compat,$SUFFIX so that the client doesn't need to do the recursive resolution itself. You'd then be able to point the LDAP client at the compat area for group information, you'd be able to use anything that knew about POSIX groups to actually enforce the group membership requirement. I'd use pam_succeed_if for this (once to allow UIDs that are low enough to be local, a second time to allow members of the group), but there are almost certainly other ways. HTH, Nalin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
