I've got a question about pam_ldap with the attributes "host" and "authorizedService" stored in LDAP.
Is there a way to limit users to login to specific hosts only through a defined service?
I set in /etc/ldap.conf
pam_check_host_attr yes
pam_check_service_attr yes
I try to use authorizedService and it works fine if I define a service, but I want to define something like "service@host"
I set in my LDAP the schemas about
If I have user "USER1" and 2 hosts "SERVER1, SERVER2". I want to grant access through ssh for user USER1 only to SERVER1 and FTP only to SERVER2, but it is not working if I set in LDAP something like this:
--------------------------------------------------------------------------------------------
dn: cn=user1,ou=People,dc=altavista,dc=local
....
....
uidNumber: 1004
gidNumber: 508
homeDirectory: /home/user1
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: hostObject
loginShell: /bin/bash
host: *
authorizedService: sshd@server1
authorizedService: ftp@server2
--------------------------------------------------------------------------------------------
Access is granted both through ftp and ssh, but on both servers, if I set this:
--------------------------------------------------------------------------------------------
.....
host: *
authorizedService: sshd
authorizedService: ftp
....
--------------------------------------------------------------------------------------------
How can I manage login to specific hosts only through a defined service, do I need to patch pam_ldap? http://bugzilla.padl.com/show_bug.cgi?id=295
best regards
M.
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
