On 12/29/2014 4:22 PM, Pal, Dmitri wrote:
>On 12/29/2014 03:40 PM, Watson, Dan wrote:
>> Hi All,
>> I've lurked in the list history and cannot find anyone saying they have 
>> gotten login restrictions working with Solaris 10 u8. Has anyone on here 
>> successfully configured login restrictions on Solaris 10 u8 through u11? I'm 
>> looking for specific instructions from someone who has gotten this to work 
>> before.
>> The two main routes to login restrictions I could find online are Netgroups 
>> or conditional ldap queries in ldapclient
>> I initially tried netgroups but wasn't sure how to trouble shoot when it 
>> didn't work. There don't seem to be any user-land tools to query netgroups 
>> and further investigation turned up an issue with OpenLDAP. It seems the 
>> built-in Solaris 10 ldap client expects schema RFC2307bis and not the 
>> OpenLDAP standard RFC2307 (explanation here 
>> http://www.openldap.org/lists/openldap-software/200501/msg00309.html). does 
>> anyone know if this issue applies to IPA?  Or how I check?
>> The alternative of passing a restrictive query to ldapclient seems like a 
>> good route but doesn't seem to work. The common solution when using the old 
>> SunOne directory server was to pass the ldapclient (command line ldap 
>> configuration tool) an option like 
>> "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)"
>>  (from here https://community.oracle.com/thread/2014224?start=0&tstart=0)  
>> which is supposed to restrict account checking to only people in 
>> ou=people,p=myorg,c=de who are also members of 
>> cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to 
>> work in IPA, first of all because there is no "isMemberof" attribute to a 
>> user, but also doesn't work on other attributes like uid or uidNumber. One 
>> possible explanation I've found is that these attributes are not indexed, 
>> but I have no idea if this is correct or how to add them to be indexed.
>> Has anyone else solved this? I just need to be able to allow only a specific 
>> user group to log in to the host, unfortunately the ssh directive 
>> "AllowGroups" is not good enough, this has to be system wide as we also have 
>> samba and some other services that rely on system authentication.
>> Can anyone be of some help?
>> Thanks!
>> Dan
>Did you try this?
That ticket and all the ones referenced in it are all about setting up basic 
connectivity to IPA, including secure connections. They do not deal with login 
restrictions at all. I am already logging in and authenticating fine, but I am 
lacking any way to restrict logins to a subset of all user accounts in IPA.

>Thank you,
>Dmitri Pal
>Sr. Engineering Manager IdM portfolio
>Red Hat, Inc.

Can you direct me to finding out if the schema matches RFC2307bis? Or how to 
modify it to work with RFC2307bis?

Has anyone gotten LDAP restrictions working? Or netgroups?


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to