Hi, Thanks for the reply. I found that the pam ldap module does help, like using pam_groupdn to point to a group that contains (in memberuid) the people that I want to have access. The problem with that is that the nss library still sees the entries as valid uids, which I don't want. Is there a similar module config I could use for libnss?
What defines the entries is just a group that I put them into, i.e. I create a group called emailusers and create a memberuid entry in that group for each user that I want to be visible. On Apr 16, 2010, at 12:49 PM, Andrew Findlay wrote: > On Fri, Apr 16, 2010 at 10:50:08AM -0400, Ken Kleiner wrote: > >> What I'm trying to do is set up my ldap server so that when a specific host >> binds using a particular DN, that host only sees specific entries in the >> ou=People tree, so that getent, id, nss, pam, etc only recognizes those >> users. >> >> Is this possible? I'm stumped. Thanks. > > It is possible, but it may not be the best thing to do... If you want > to restrict who can login on each machine then it may be better to use > the authorisation facilities of the PAM LDAP module. > > In any case, what defines the set of entries to be seen / permitted on > each host? There are several ways that you might represent the set: > LDAP groups, new attributes etc, and each would have result in > different ACLs. I suspect that you do not want to define the set > separately for each host, so some sort of group hierachy might be > appropriate. > > You will find a few examples here: > http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/ > > Andrew > -- > ----------------------------------------------------------------------- > | From Andrew Findlay, Skills 1st Ltd | > | Consultant in large-scale systems, networks, and directory services | > | http://www.skills-1st.co.uk/ +44 1628 782565 | > ----------------------------------------------------------------------- Ken Kleiner System Manager University of Massachusetts Lowell Computer Science Department 978 934 3645
