>>>>> "Thomas" == thomas emde <thomas.emde@scaleon.de> writes:
Thomas> I followed your discussion with interest but I have a very
Thomas> practical problem. Is there any configuration of pam
Thomas> (sshd) which allows me to have mixed local/ldap users
Thomas> _with_ ldap users restricted to certain hosts using the
Thomas> host attribute in ldap?
Thomas> I am also using nss_ldap.
Yes. The trick is to short-circuit when the user is local, and go to
pam_ldap otherwise:
account requisite pam_unix.so
account sufficient pam_local.so
account required pam_ldap.so
* pam_unix doesn't need to be "requisite", but since you always expect
it to succeed for a user in NSS, this probably isn't a bad idea.
* For pam_local.so, there was a thing called pam_local_acct_mgmt.so
posted to the pamldap list. Alternatively, there's a
pam_localuser.so module in the incoming patch queue on SourceForge.
Both just check that the user is defined in the local passwd file.
The first time I saw this solution it was posted to the pamldap list
by Paul Hilchey. The Message-ID was <3CADFF71.3030708@ucs.ubc.ca>.
peace & happiness,
martin
