On 2/2/2010 1:18 PM, Morris, Patrick wrote: > [snip] > We've found it a lot easier to manage than having to add an entry per > host to user records, but then our servers tend to fall into > easily-defined groups, which may not be the case for everyone, and the > way we do it also relies on the only remote access to the box being over > SSH. > [snip] > Here's an interesting twist to the problem, while we're on the topic: how about supporting searching of hostEntitlement as well as POSIX groups, in that order? In my organization, we have many hosts that fall into easily definable groups, but sometimes I'd like to give a user access to just one host (or a list of individual hosts) rather than giving them access to every host listed in a group. pam_check_host_attr works for the former check, and pam_groupdn works for the latter, but they cannot be used together. I don't think pam_filter can be used here, since there's no way to substitute the DN being authenticated in the search filter. Any ideas? Best regards, Steve -- Six year Pan-Mass Challenge veteran, and counting! On August 7th and 8th 2010, I will be bicycling 192 miles to raise money for the Dana Farber Cancer Institute. Please visit http://sponsorsteve.com for more details!
