And this is clear. This the basic host based authentication using pam-ldap. >From what I know however, it's not possible to set a regex as the value of the >host attribute which is my requirement. See the previous mail with the relevant example about the regex for the hostnames. Am I wrong?
Thank you Simone On Oct 29, 2012, at 5:26 PM, anax <[email protected]> wrote: > if you are using pam-ldap, then its even easier than you think, i.e. its > included in pam-ldap: > > in the ldap directory create entries like or similar: > > uid=ldap-host,ou=People,ou=pam-ldap,dc=mydomain,dc=com > cn: ldap-host > gidNumber: 102 > homeDirectory: /home/ldap-host > host: vidigal.mydomain.com > loginShell: /bin/bash > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > shadowLastChange: 11146 > shadowMax: 99999 > shadowWarning: 7 > uid: ldap-host > uidNumber: 1038 > userPassword: youonlyknowit > > where the important attribute is host. > > Then, in the ldap.conf file, where you tell pam-ldap, which ldap parameters > to use, add the following line: > > pam_check_host_attr yes > > Then, in the corresponding pam-ldap file, add the following two entries: > > account required pam_ldap.so debug > account required pam_unix_acct.so > > (check to see, if you have the respecitve module installed in your pam-ldap > module direcotory). > > And then, by magic, users will be allowed only on the specified host, in this > case on vidigal.mydomain.com > > suomi > > > > > > On 2012-10-29 13:23, Simone Scremin wrote: >> Hi all, >> I'm in the process of learning the OpenLDAP authentication mechanics. >> I'd need to know what is the best way to configure an host based >> authentication system that allow to configure a per-user rule to include a >> group of host to which the user is allowed to login. >> >> In example: >> >> user Bob needs to authenticate on systems: >> >> sys01pra >> sys02pre >> sys03pra >> sys03pre >> >> some configuration on the LDAP server enable this hostnames for Bob with a >> regular expression like: >> >> sys0*pr* >> >> Is it feasable? >> >> Thanks >> >> Simone >> >
