On Tue, Feb 2, 2010 at 8:57 PM, Steve Bernacki <fds at f.copacetic.net> wrote: > On 2/2/2010 1:18 PM, Morris, Patrick wrote: >> [snip] >> We've found it a lot easier to manage than having to add an entry per >> host to user records, but then our servers tend to fall into >> easily-defined groups, which may not be the case for everyone, and the >> way we do it also relies on the only remote access to the box being over >> SSH. >> [snip] >> > > Here's an interesting twist to the problem, while we're on the topic: > how about supporting searching of hostEntitlement as well as POSIX > groups, in that order? ?In my organization, we have many hosts that fall > into easily definable groups, but sometimes I'd like to give a user > access to just one host (or a list of individual hosts) rather than > giving them access to every host listed in a group. ?pam_check_host_attr > works for the former check, and pam_groupdn works for the latter, but > they cannot be used together. ?I don't think pam_filter can be used > here, since there's no way to substitute the DN being authenticated in > the search filter. > > Any ideas? > > Best regards, > Steve > > -- > Six year Pan-Mass Challenge veteran, and counting! > On August 7th and 8th 2010, I will be bicycling 192 miles to raise > money for the Dana Farber Cancer Institute. Please visit > http://sponsorsteve.com for more details! > > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > >>rather than giving them access to every host listed in a group. So then make two groups, as you said you cant have it both ways. Even if the "group" just has one host then it is a group of one.
