On Mon, Nov 21, 2011 at 3:39 PM, Jayavant Patil <[email protected]>wrote:
> > >Mon, Nov 21, 2011 at 1:34 PM Buchan Milne <[email protected]> > wrote: > >> >> >One method would be to add the hostObject objectclass, from ldapns.schema >> >(shipped with pam_ldap source), and add a host attribute with the >> 'hostname' >> >of the host for each host the user should be allowed to log in to, and >> set >> >'pam_check_host_attr yes' in /etc/ldap.conf (see 'man pam_ldap'). >> >> >Of course, this depends on which pam module you are using, and there are >> other >> >options. >> > > I tried by installing pam_ldap module and configuring ldap.conf file > but still allowing access to the hosts not mentioned in host attribute. All > the user information is available on the client node not specified in the > host attribute of that user (checked by firing $getent passwd) . > > What is desired is on such client (not specified in host attribute of > <user-name>) nodes, $su <user-name> should show *su: <user-name> does not > exist*. > > Which of the services in /etc/pam.d need to be modified for proper > user authorization? > >> >> >> >> >> Regards, >> Buchan >> > > > > -- > > Thanks & Regards, > Jayavant Ningoji Patil > Engineer: System Software > Computational Research Laboratories Ltd. > Pune-411 004. > Maharashtra, India. > +91 9923536030. > > Hi, I got the desired solution. Thanks Buchan !!! My next query is as follows: Suppose we have 1000 hosts and we want to give 'user1' access to 999 hosts (with 1 restricted host). Then, in such case, we need to specify all 999 permitted host names in .ldif file. There are wildcards like '*' stands for all hosts and '!' stands for excluding host. e.g. 1. host: * will allow access to all client nodes. 2. host: !n1000 will not allow access to n1000 client node. In the above mentioned scenario, when I specify the following it doesn't work: host: * host: !n1000 It will allow access to all 1000 hosts. when I specify the following: host: *,!n1000 It is restricting access to all 1000 hosts. Does anybody know how to use these wildcards(*,!) to get the desired solution? -- Thanks & Regards, Jayavant Ningoji Patil Engineer: System Software Computational Research Laboratories Ltd. Pune-411 004. Maharashtra, India. +91 9923536030.
