On Thu, 18 Sep 2003, Kevin Reck wrote: > I've been trying to switch servers from using system accounts to use > LDAP for authentication, which I can successfully do, but the problem is > it seems to be an all or nothing type of switch. > > Well here's what I want to do, but I am not sure how to do it. > > On one particular server I want to only allow login by people in the > group "allow_login", but also allow authenticated relay on this machine > to anybody in the ldap tree. The problem is though, if I limit by group > only people in that group can log in and relay; and if I include > everybody in that group, then everybody can login and relay > > Is there a a way I can tell the smtp pam.d entry to use separate rules > then the system-auth? > > Any other suggestions if pam cannot do this yet? I have set up a couple of machines to authenticate against LDAP. These were Debian Woody machines, and so did not have system-auth. But, the mail server only allowed ldap for pop and imap. Only local users (admins) could get a shell. We didn't use SMTP auth, and I don't know if the mail server supported SMTP auth through PAM or not. If it did, though, I think I could have restricted it to a certain group with pam_listfile (the group has to be local, either /etc/group or with nssw). As far as I know, there's no way of directly (with options on the line in the pam config file) telling PAM to only try to authenticate for users in certain groups. Otherwise, the mail server probably supports authentication directly against the LDAP server, and you can specify exactly what criteria you're looking for, including group membership. Restricting by recipient is a different topic entirely, and specific to the mail server. -- Marshal Newrock, unemployed Linux user in Lansing, MI Caution: Product will be hot after heating _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
