On 12/29/2014 03:40 PM, Watson, Dan wrote:
Hi All,
I've lurked in the list history and cannot find anyone saying they have gotten
login restrictions working with Solaris 10 u8. Has anyone on here successfully
configured login restrictions on Solaris 10 u8 through u11? I'm looking for
specific instructions from someone who has gotten this to work before.
The two main routes to login restrictions I could find online are Netgroups or
conditional ldap queries in ldapclient
I initially tried netgroups but wasn't sure how to trouble shoot when it didn't
work. There don't seem to be any user-land tools to query netgroups and further
investigation turned up an issue with OpenLDAP. It seems the built-in Solaris
10 ldap client expects schema RFC2307bis and not the OpenLDAP standard RFC2307
(explanation here
http://www.openldap.org/lists/openldap-software/200501/msg00309.html). does
anyone know if this issue applies to IPA? Or how I check?
The alternative of passing a restrictive query to ldapclient seems like a good route but doesn't seem
to work. The common solution when using the old SunOne directory server was to pass the ldapclient
(command line ldap configuration tool) an option like
"passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" (from
here https://community.oracle.com/thread/2014224?start=0&tstart=0) which is supposed to restrict
account checking to only people in ou=people,p=myorg,c=de who are also members of
cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to work in IPA, first of all
because there is no "isMemberof" attribute to a user, but also doesn't work on other
attributes like uid or uidNumber. One possible explanation I've found is that these attributes are not
indexed, but I have no idea if this is correct or how to add them to be indexed.
Has anyone else solved this? I just need to be able to allow only a specific user group
to log in to the host, unfortunately the ssh directive "AllowGroups" is not
good enough, this has to be system wide as we also have samba and some other services
that rely on system authentication.
Can anyone be of some help?
Thanks!
Dan
Did you try this?
https://fedorahosted.org/freeipa/ticket/4633
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project