 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On 07/10/2012 04:14 PM, Richard Pieri wrote: > On 7/10/2012 2:53 PM, Jerry Feldman wrote: >> I don't know LDAP that well so I am looking for an LDAP solution that >> will permit certain users to use certain systems. > > I use PAM. > > The way I do it is to create an LDAP group for each role. Each > limited access node gets a file /etc/login.groups with root, wheel and > the permitted roles. I use the pam_listfile module to compare group > memberships of attempted logins with the the login.groups file. > > A variant is to create an LDAP group corresponding to each node name. > Add users who require access to a node to the associated group. Use a > PAM module to check group membership against the local host name and > reject logins that don't match. > > Substitute your directory of choice for LDAP. Anything that lets you > manage group memberships will work. > I'm leaning toward using LDAP. LDAP will be at a corporate level (not IBM but Algorithmics). But, I don't have that many servers so I can replicate my changes to each of the servers . Back on testdrive we used PAM and it worked well except for one Debian box. -- Jerry Feldman <gaf at blu.org> Boston Linux and Unix PGP key id:3BC1EB90 PGP Key fingerprint: 49E2 C52A FC5A A31F 8D66 C0AF 7CEA 30FC 3BC1 EB90
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
