On Fri, Sep 16, 2011 at 04:42:11PM -0400, Dmitri Pal wrote:
> On 09/16/2011 11:19 AM, Johan Sunnerstig wrote:
> Right now I have nss-pam-ldapd
> (http://arthurdejong.org/nss-pam-ldapd/) and the MIT-based krb
> software that's included in Debian 6 working decently. By that I mean I
> can use it to allow logins as expected, but so far I haven't worked out
> allowing or disallowing login based on group membership.
> I really just need group based logins, sudo controls I can handle based
> on groups with Puppet, but again, if the real client route isn't too
> much work that's of course preferable.
Well, it may not be the most elegant option, but if you turn on the
compat plugin (with ipa-compat-manage), the plugin will "flatten" the
groups and show the results under cn=groups,cn=compat,$SUFFIX so that
the client doesn't need to do the recursive resolution itself.
You'd then be able to point the LDAP client at the compat area for group
information, you'd be able to use anything that knew about POSIX groups
to actually enforce the group membership requirement. I'd use
pam_succeed_if for this (once to allow UIDs that are low enough to be
local, a second time to allow members of the group), but there are
almost certainly other ways.
Freeipa-users mailing list