ldap authorization

Mailing List

Home

Forum Home

Linux - General Red Hat Linux discussion list

Installation - Getting started with Red Hat Linux

Enterprise Linux 3 - Discussion of Red Hat Enterprise Linux 3 (Taroon)

Red Hat Linux 9 - Discussion of Red Hat Linux 9 (Shrike)

Red Hat Linux 7.2 - Discussion of Red Hat Linux 7.2 (Enigma)

Red Hat Linux 7.3 - Discussion of Red Hat Linux 7.3 (Valhalla)

Apache Web Server

Oracle database, Microsoft SQL server ...

Subjects

•	Subject: application/x mplayer2 plugin
•	RPM error: db4 error(16) from dbenv >remove: Device or resource busy
•	Command stream end of file while reading
•	Subject: X Windows problem (xauth)
•	Subject: Upgrading openoffice 1 1 rpm
•	Subject: FTP: connection refused
•	Subject: FTP: connection refused
•	mount: /dev/cdrom: is not a valid block device
•	Dell Precision 650, RedHat 9, no sound
•	how to trace the cause resulting in the crash of bind server
•	Virus on the list
•	UNINSTALL RPM MYSQL
•	usb pen drives: mounting as a user
•	Subject: broadcom network interface
•	make mrproper
•	Couldn 't open PID file /var/run/named/named pid Permission denied
•	sendmail configuration on redhat
•	kernel 2 6 and /dev/sound/mixer not found
•	Subject: Promise 378 controller
•	Subject: Problem using up2date
•	mrtg step by step howto/configuration for a newbie?
•	Compiling and Installing Kernel 2 6
•	Can 't locate module ppp0, can 't locate module ppp compress 21
•	Subject: Lotus Notes under Wine
•	HOW I CAN MAKE BOOTABLE FLOPPY DISKET
•	/etc/security/limits conf question
•	Intel E/1000 driver
•	rpm database corrupt
•	Command stream end of file while reading
•	qla2300 modules

ldap authorization

ldap authorization

2007-10-11 - By Troy Knabe

Back
So I can't do Kerberos authentication and ldap authorization and have group
based access defined by pam_groupddn??

-Troy

First, you must have enabled LDAP authentication. If you don't have
pam_ldap in the PAM stack then PAM won't use LDAP at all.

There are two mechanisms for controlling host access within LDAP. There
is host based and group based. In host based access you specify which
hosts a user is allowed to access in the user entry in the directory. In
group based access you say which users are allowed to access a host in a
host entry in the directory.

In both cases you have to enable the feature in /etc/ldap.conf for it to
work. The default is to allow access to all users who authenticate
against the directory. So, in every host you want to control access to
(to allow or deny) you have to modify /etc/ldap.conf.

To enable host based access you have to set the "pam_check_host_attr" to
"yes" in /etc/ldap.conf. You also have to add a "host" attribute to
each user's entry in the directory who is allowed to login to that host,
the default is access denied. The host entry should be the FQDN of the
host in question. The users' entries must include an objectClass which
contains the "host" attribute, such as "account".

To enable group based access you define "pam_groupddn" and
"pam_member_attribute" in /etc/ldap.conf. pam_groupdn is the DN of the
entry in the directory which contains the list of users who are allowed
access to this host. pam_member_attribute is the attribute within that
entry which holds the users DNs. Note, the DN of the users entry in the
directory, not the userid or any other attribute.

Note that in neither case is access controlled by POSIX groups. It is
just an ad hoc group of users. If you want to control access by POSIX
group I don't think you can do it using LDAP.

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@(protected)
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@(protected)?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@(protected)?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list