Sean Carolan wrote: >> #2 >> a.there is also a setting in /etc/ldap.conf called pam_groupdn. This >> lets you define an LDAP object with multiple membe attributes to >> control who can login. I find it easy to use >> b. SSH can be told to only accept logins from a posix group (same deal >> just handled at a different part of the stack) >> > > One other question came to mind, and that was users with ssh keys. > How will migrating to LDAP-only authentication affect them? Is there > a way to continue allowing these users to use their keys for login? > You can either continue as usual with an authorized_keys file in their home directories, or look at the LPK patch available for OpenSSH that allows storing public keys in LDAP. Having the users in LDAP has absolutely no effect on how key-based logins work with SSH, but it does open up some other options. -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users