There are other ways to populate the pam_groupdn that you have associated with each machine but those all correspond to some attribute in the user's profile.
I have pam_groupdn setup like this /etc/ldap.conf: pam_groupdn cn=<GROUP_NAME>,ou=Systems,dc=domain,dc=com pam_member_attribute member cn=<GROUP_NAME>,ou=Systems,dc=domain,dc=com cn: <GROUP_NAME> objectClass: top objectClass: groupOfNames objectClass: labeledURIObject member: uid=nobody,ou=People, dc=domain,dc=com labeledURI: ldap:///ou=People,dc=domain,dc=com??one?(host=<type of system>) labeledURI: ldap:///ou=People,dc=domain,dc=com??one?(gidNumber=XXXX) So as you can see you can have as many labeledURI attributes as you want or need. I tend to use the host name function of what the host does. This is how my account profile would look: uid=<MYUSERID>,ou=People,dc=domain,dc=com host: "cluster" host: sysadmin So "cluster" is a compute cluster that we have and thus for all those machines the pam_groupdn cn="cluster",ou=Systems,dc=domain,dc=com, and for machines where only the sysadmins login to then pam_groupdn cn=sysadmin,ou=Systems,dc=domain,dc=com. As long as you can for a labeledURI: ldap:///ou=People,dc=domain,dc=com??one?<attribute>=<value>) type search you can use it to auto populate the group. Summary: * Do to not think of the host attribute as host = hostname but as host = type of machine and that you can have more then one labeledURI per group to help populate the group. * Use good gidNumbers for groups to help auto populate groupOfName style groups. - Adam On Wed, Dec 9, 2009 at 4:01 AM, Shamika Joshi <[email protected]>wrote: > Hi Adam, > I'm able to get host auth working by using host attribute.But the drawback > of that is everytime there a new machine, I have to add that host to all the > users I want to grant access to. If I decide to do it based on group > membership, I can use pam_groupdn but then it does not allow multiple group > entries there, plus it has to be managed on client side,which is even more > undesirable by any administrator. > > I went through this article but I'm not sure if it will work if I have some > members already associated with some groups. Like ldap1 & ldap2 members of > qagroup & ldap3 & ldap4 members of sysadmin, would this method allow me to > limit access based on their group membership?? if yes...could you briefly > explain with an example? > > Thank for your time in advance > Shamika > > > > On Wed, Dec 9, 2009 at 9:04 AM, Adam Hough <[email protected]> wrote: > >> Here is is the write up that I read to figure out how to do setup to >> auto-restrict users to certain hosts. >> >> >> http://www.hurricanelabs.com/september2009_login_security_using_openldap_and_pam >> >> >> >> On Tue, Dec 8, 2009 at 4:40 PM, Howard Chu <[email protected]> wrote: >> >>> Shamika Joshi wrote: >>> >>>> Thanks Howard, >>>> Could you point me to some good documentation or HowTos on that? >>>> >>> >>> Search the archives. I posted an example in here a few months ago. >>> http://www.openldap.org/lists/openldap-technical/200905/msg00108.html >>> >>> >>> -- >>> -- Howard Chu >>> CTO, Symas Corp. http://www.symas.com >>> Director, Highland Sun http://highlandsun.com/hyc/ >>> Chief Architect, OpenLDAP http://www.openldap.org/project/ >>> >> >> >
