I use pam_access. Put user/group names you would like them to login to your server in the server's /etc/security/access.conf file (Linux). As to your listed situation: Server1: -:ALL EXCEPT root A B C:ALL Server2: -:ALL EXCEPT root A:ALL Server3: -:ALL EXCEPT root A C:ALL Note: your group name should not contain white space (something like Group A may cause problem). Make sure pam_access.so is included in your pam configuration stack and use "required". You can use pam_require too. It takes user and group names as arguments and not as granular as pam_access. Yu -----Original Message----- From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] On Behalf Of Scott Ruckh Sent: Thursday, September 14, 2006 3:23 PM To: pam-list@xxxxxxxxxx Subject: pam_krb5/ldap access control with Active Directory How do you control access? For example, say you have 3 groups (A, B, and C). Users of Group A should have access to all servers, Group B should have access to only a few servers, and Group C will have access to a few servers. Obviously each server's ldap.conf file could contain configurations using different AD containers to limit access, but how would you handle access for the below situation? Severs: Groups that have access Server 1: Group A, Group B, and Group C Server 2: Group A Server 3: Group A and Group C Thanks. -- Scott _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
