[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Google
  Web www.spinics.net

RE: pam_krb5/ldap access control with Active Directory



I use pam_access. Put user/group names you would like them to login to
your server in the server's /etc/security/access.conf file (Linux).

As to your listed situation:

Server1: 
-:ALL EXCEPT root A B C:ALL
Server2: 
-:ALL EXCEPT root A:ALL
Server3: 
-:ALL EXCEPT root A C:ALL
Note: your group name should not contain white space (something like
Group A may cause problem).

Make sure pam_access.so is included in your pam configuration stack and
use "required".

You can use pam_require too. It takes user and group names as arguments
and not as granular as pam_access.

Yu



-----Original Message-----
From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx]
On Behalf Of Scott Ruckh
Sent: Thursday, September 14, 2006 3:23 PM
To: pam-list@xxxxxxxxxx
Subject: pam_krb5/ldap access control with Active Directory

How do you control access?

For example,  say you have 3 groups (A, B, and C).  Users of Group A
should have access to all servers, Group B should have access to only a
few servers, and Group C will have access to a few servers.

Obviously each server's ldap.conf file could contain configurations
using
different AD containers to limit access, but how would you handle access
for the below situation?

Severs: Groups that have access

Server 1:  Group A, Group B, and Group C
Server 2:  Group A
Server 3:  Group A and Group C

Thanks.
-- 
Scott


_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

Add to Google Powered by Linux