Hello, I posted a thread last week about authentication, and got a lot of useful advice - thanks!
I am trying to centralise the authentication and I keep ending up with hardcoded things in config files all over the place. Not ideal - there must be a better way :) For example: I would like some users to be able to login (locally and by ssh) to some, but not all, machines. To do this, I have to create an ldap_filter that hardcodes the machine name, something like this: pam_filter |(host=THISHOSTNAME)(host=\*) So a user must have the host:somehostname attribute (or host:*) attribute to login to a given server. This works, but doesn't scale. (1. Can THISHOSTNAME be replaced by a variable so that it doesn't have to be hardcoded?) So next I moved to groups. In pseudo-ldap: pam_filter |(hostGroup=SOMEGROUPNAME) So users in a given hostgroup can login. This could work too, but it means hardcoding the SOMEGROUPNAME information in a config file local to the server. 2. Rather than hardcode SOMEGROUPNAME be looked up based on the hostname of the machine So now onto netgroups. "Netgroups can do this!" I hear you cry. Yes, they can *almost* do what I want, but I still have to decide on each server which groups are allowed to login and bung the information in a local config file: + : @QAUsers@@QASystems : 10. would do it. But I'd like to avoid this, it's _another_ local file that contains authentication information that should be in the central authentication store. I could hack around this by doing some sort of automated copy, but if authentication is meant to be in one place, it should be in one place. Or I *could* write a script that fetches some information out of ldap periodically, combine it with the "hostname" command and re-creates system-config-authentication file periodically, but these are all hacks. I must be overlooking something. This final step can't really be missing: can I really not have a host lookup Can anyone nudge me in the right direction? Slightly frustrated, Simon _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
