Hi Dan, that trick would work in particular cases, but not sure that it would scale in a large number of lively machines environnement : suppose you want to change ACL for a particular server without changing its name ?
Intutively, I would rather opt for host group management (posix or group of) within ldap ? Still, issue of which container remains. --- Olivier 2012/10/29 Dan White <[email protected]>: > On 10/29/12 09:38 -0500, Dan White wrote: >> >> On 10/29/12 13:23 +0100, Simone Scremin wrote: >>> >>> Hi all, >>> >>> I'm in the process of learning the OpenLDAP authentication mechanics. >>> >>> I'd need to know what is the best way to configure an host based >>> authentication system that allow to configure a per-user rule to include >>> a >>> group of host to which the user is allowed to login. >>> >>> In example: >>> >>> user Bob needs to authenticate on systems: >>> >>> sys01pra >>> sys02pre >>> sys03pra >>> sys03pre >>> >>> some configuration on the LDAP server enable this hostnames for Bob with >>> a >>> regular expression like: >>> >>> sys0*pr* >>> >>> Is it feasable? >> >> >> Assuming that you will be using a PAM module on each host, the answer to >> that question will depend on which PAM module you choose, and what >> configuration it supports. >> >> If that module supports placing a filter within the PAM configuration, >> then >> 'host=sys0*pr*' should work. > > > Or, if you wish to literally store 'sys0*pr*' within your host entry in > ldap, your filter could be: > > host=sys0\*pr\* > > -- > Dan White >
