This is what you said Yu Wang > I use pam_access. Put user/group names you would like them to login to > your server in the server's /etc/security/access.conf file (Linux). > > As to your listed situation: > > Server1: > -:ALL EXCEPT root A B C:ALL > Server2: > -:ALL EXCEPT root A:ALL > Server3: > -:ALL EXCEPT root A C:ALL > Note: your group name should not contain white space (something like > Group A may cause problem). > > Make sure pam_access.so is included in your pam configuration stack and > use "required". > > You can use pam_require too. It takes user and group names as arguments > and not as granular as pam_access. > > Yu > > > > -----Original Message----- > From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] > On Behalf Of Scott Ruckh > Sent: Thursday, September 14, 2006 3:23 PM > To: pam-list@xxxxxxxxxx > Subject: pam_krb5/ldap access control with Active Directory > > How do you control access? > > For example, say you have 3 groups (A, B, and C). Users of Group A > should have access to all servers, Group B should have access to only a > few servers, and Group C will have access to a few servers. > > Obviously each server's ldap.conf file could contain configurations > using > different AD containers to limit access, but how would you handle access > for the below situation? > > Severs: Groups that have access > > Server 1: Group A, Group B, and Group C > Server 2: Group A > Server 3: Group A and Group C > > Thanks. > -- > Scott > Thanks for the reply, I will have to give this a try. I am already using pam_access but did not put the two peices of the puzzle together. The example given above was truly artificial, so group names will not be a problem. I appreciate your input, and your documentation. Scott _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
