From owner-freebsd-questions@FreeBSD.ORG Fri May 13 07:19:48 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E42EC16A4CE for ; Fri, 13 May 2005 07:19:48 +0000 (GMT) Received: from natnoddy.rzone.de (natnoddy.rzone.de [81.169.145.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F45043D91 for ; Fri, 13 May 2005 07:19:48 +0000 (GMT) (envelope-from uwe@laverenz.de) Received: from athena.laverenz.de (pD955020E.dip.t-dialin.net [217.85.2.14]) by post.webmailer.de (8.13.1/8.13.1) with ESMTP id j4D7JjSU018218 for ; Fri, 13 May 2005 09:19:46 +0200 (MEST) Received: from localhost (localhost.localdomain [127.0.0.1]) by athena.laverenz.de (Postfix) with ESMTP id 027E6E38AB22 for ; Fri, 13 May 2005 09:19:45 +0200 (CEST) Received: from athena.laverenz.de ([127.0.0.1]) by localhost (athena [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 07024-01 for ; Fri, 13 May 2005 09:19:44 +0200 (CEST) Received: by athena.laverenz.de (Postfix, from userid 2000) id DD26BE38A95E; Fri, 13 May 2005 09:19:43 +0200 (CEST) Date: Fri, 13 May 2005 09:19:43 +0200 From: Uwe Laverenz To: freebsd-questions@freebsd.org Message-ID: <20050513071943.GA6228@laverenz.de> Mail-Followup-To: freebsd-questions@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Organization: private site Sender: uwe@laverenz.de User-Agent: Mutt/1.5.9i X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at laverenz.de Subject: Re: Netgroups and LDAP? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2005 07:19:49 -0000 On Thu, May 12, 2005 at 03:59:24PM -0500, Ben Hockenhull wrote: > I only want certain (large, broad) groups of people to be able to login to > a given server, and I believe I'm looking to implement netgroups to do > that, but I haven't been able to find any documentation on how to do that > with FreeBSD. You can't use netgroups with FreeBSD/ldap, only passwd and group databases can be used with ldap AFAIK. > Any pointers (to config examples, ldif-format schemas that incorporate > netgroups, etc) or other ideas would be greatly appreciated. If there's > another way to limit logins via LDAP, I'd be interested in hearing about > that, too. If your users have "objectClass: account" there is an attribute "host" that can be used for limiting access to certain machines. You need the entry "pam_check_host_attr yes" in your ldap.conf for pam and perhaps some modifications of the files in /etc/pam.d. I have never used or tested this but it is a standard feature of pam-ldap and I guess it should work. cu, Uwe