Software
 » 
LDAP
 » 
PADL Lists
 » 
PAM LDAP

 « Return to Thread: ldap group membership

RE: ldap group membership

by Sturgis, Grant :: Rate this Message:

Reply to Author | View in Thread

 

> -----Original Message-----
> From: owner-pamldap@... [mailto:owner-pamldap@...]
> On Behalf Of Tom Hodder
> Sent: Monday, February 06, 2006 8:47 PM
> To: pamldap@...
> Subject: [pamldap] ldap group membership
>
> Hi,
>
> Is there a way to configure that the logging on user has to
> be a member
> of multiple groups to be able to login.
>
> I have a bunch of existing groups like;
>
> cn=Developers
> cn=Administrators
> cn=Managers
>
> and at the moment, all users can login to all the servers, as my
> pam_groupdn is like this;
>
> pam_groupdn cn=unixusergroup,etc,etc
>
> am I allowed to specify multiple "pam_groupdn" entries in the
> ldap.conf
> file? in order to require combined group memberships?
>
> Also is there a way from requiring group membership at the pam.d conf
> file configuration level, eg
>
> account require pam_groups_required.so groupname=cn=Developers
>
> etc, or something like that, as I think it would be easier to
> manage via
> the pam.d files than having entries in the ldap.conf files.
> (All I am trying to do is use ldap group membership to allow/deny pam
> logins)
>
> Any advice would be appreciated,

I use the pam_filter directive in ldap.conf.  Here is an "or" statement:

pam_filter |(groupattribute=group1)(groupattribute=group2)

and I think an "and" would just be:

pam_filter &(groupattribute=group1)(groupattribute=group2)

>
> Thanks,
>
> Tom
>

HTH,

-Grant

>
>
>
>
>
>
>
>
>
>
>
>
>
>

This electronic message transmission is a PRIVATE communication which contains
information which may be confidential or privileged. The information is intended
to be for the use of the individual or entity named above. If you are not the
intended recipient, please be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited. Please notify the
sender  of the delivery error by replying to this message, or notify us by
telephone (877-633-2436, ext. 0), and then delete it from your system.


 « Return to Thread: ldap group membership

LightInTheBox - Buy quality products at wholesale price
Free Forum Powered by Nabble Forum Help