I have found it. On line 1169 of pam_ldap.c in the _host_ok function, there is a comparison to see if the current host is one of the ones allowed by the users' host(account) attribute. If it exists. If I have one or more host values, then I must have the host value of the machine I'm logging into. If I have no host values then the check is bypassed and I can log onto any machine. This check is done above and beyond what is in the ldap.conf filter. i.e. the filter I have below is redundant if I have any host valued on my LDAP record. However, if I leave the filter off (I didn't seem to need it) I've opened the box up to anyone who doesn't have any host values at all. Am I missing something? It seems the only way to alter this behavior is to edit the source code. Thanks for any info, Kelli -----Original Message----- From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On Behalf Of Kelli Sent: Tuesday, April 17, 2001 1:32 PM To: pam-list@redhat.com Subject: Host attribute Hi all, I have several Linux boxes (Mandrake 7.2) authenticating against Netscape's LDAP 4.12. This has been working well but I want to change the use of the pam_filter. I have: pam_filter &(objectclass=posixaccount) (host=my.box.net) in the ldap.conf file, where the host equals the local box name. Users then need to have host=my.box.net as an attribute of the account object class. I found that if I comment out the pam_filter, I still get the same results as when the line was there. i.e. the user cannot login unless he has the host attribute to match the box. Do I need to restart something? Does anyone know what else would be doing this host check? Thank you everyone, Kelli _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
