Hi Steve, The most common method used in limiting login access of specific users to specific machines is through the use of the pam_list (formerly pam_netgroup) pam module.
pam_list supports both allow and deny lists with files or netgroups. The DUA schema (now rfc4876) that specified service search descriptors did not intend them for use in limited user access as you are trying to do. Check out the pam_list module instead. Service search descriptors and attribute mappings are meant to help translate non RFC2307 LDAP schemas/attributes/DIT layouts into the form defined by RFC2307/RFC2307bis. Doug. Steve Hoyle wrote: > Hi, > > I have configured Solaris client to AD integration (from > http://blog.scottlowe.org), the client is running Solaris 10 to Windows > 2003 (R1) with SFU 3.5 installed. > > Everything works find with the ldapclient file below (some values > changed for obvious reasons):- > > ldapclient manual > -a credentialLevel=proxy \ > -a authenticationMethod=simple \ > -a proxyDN=cn=proxyuser,ou=Solaris,dc=example,dc=com \ > -a proxyPassword=<Password of proxyuser> \ > -a defaultSearchBase=dc=example,dc=com \ > -a domainName=EXAMPLE.COM \ > -a defaultServerList=xx.xx.127.253 \ > -a attributeMap=group:userpassword=userPassword \ > -a attributeMap=group:memberuid=memberUid \ > -a attributeMap=group:gidnumber=gidNumber \ > -a attributeMap=passwd:gecos=cn \ > -a attributeMap=passwd:gidnumber=gidNumber \ > -a attributeMap=passwd:uidnumber=uidNumber \ > -a attributeMap=passwd:homedirectory=unixHomeDirectory \ > -a attributeMap=passwd:loginshell=loginShell \ > -a attributeMap=shadow:shadowflag=shadowFlag \ > -a attributeMap=shadow:userpassword=userPassword \ > -a objectClassMap=group:posixGroup=group \ > -a objectClassMap=passwd:posixAccount=user \ > -a objectClassMap=shadow:shadowAccount=user \ > -a serviceSearchDescriptor=passwd:dc=example,dc=com?sub \ > -a serviceSearchDescriptor=group:dc=example,dc=com?sub > > When I add users to the Solaris OU then create another OU in Solaris > called groups everything still works ok specifing the full domain > example.com. > > However, so I can limit the users who have access to the ldap clients I > changed the serviceSearchDescriptor lines as below:- > > -a serviceSearchDescriptor=passwd:*ou=Solaris*,dc=example,dc=com?sub \ > -a serviceSearchDescriptor=group:*ou=Solaris*,dc=example,dc=com?sub > > After restarting ldap client etc I am now unable to getent, ldaplist the > AD users or groups etc.. when I remove the ou=Solaris everything works > perfectly but I need to control which users have access to the specific > clients... > > Ive tried numerous different ways to resolve and scoured google to no > avail... also tried filters and am now thinking of going to netgroups > although this is a last resort... > > I also tried placing specific users in > > -a > "serviceSearchDescriptor=passwd:ou=Solaris,dc=example,dc=com?sub?(l(uid=testsh))" > > > > ....I can getent the userid testsh but cant ssh in... > > Any assistance would be appreciated... > > Thanks... > > > ------------------------------------------------------------------------ > > _______________________________________________ > sysadmin-discuss mailing list > sysadmin-discuss@opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/sysadmin-discuss _______________________________________________ sysadmin-discuss mailing list sysadmin-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/sysadmin-discuss
