Date: Mon, 27 Apr 2009 07:48:07 +0000 From: "O. Hartmann" <ohartman@zedat.fu-berlin.de> To: freebsd-questions@freebsd.org, freebsd-current@FreeBSD.org Subject: PAM/ldap_pam/NFSv4: How let users of a speicific group log into a specific box? Message-ID: <49F56337.8040900@zedat.fu-berlin.de>
next in thread | raw e-mail | index | archive | help
Hello. I run into a specific problem and for several months of experiments I havn't found a solution, yet. This is what I wish to get and need: A simple capability of selecting users into a specific group. Members of such a group should then log into a set of specific hosts. Infrastructure is FreeBSD 8.0-CURRENT/amd64 and some 7.2-STABLE boxes (acting as server) as well as OpenLDAP backend. Authentication on boxes is done via PAM/ldap_pam. But it is on FreeBSD's side a vanilla configuration, not very sophisticated. Users autheticate and authorize against an OpenLDAP server residing on another box. pam_ldap in its most recent ports-version offers, as the manpage claims, a facility enabling group logins (resides in /usr/local/etc/ldap.conf): # Group to enforce membership of pam_groupdn cn=mygroup,ou=groups,dc=foo,dc=org?sub # Group member attribute #pam_member_attribute uniqueMember pam_member_attribute memberUid Within the DIT of the OpenLDAP server ou=groups exists and contains also a group called 'mygroup' with a multi-value attribute (as required), in this case memberUid. Using pam_ldap.so as a 'required' module is not appreciated, so there seems a problem to me with the stack order - should say: I need a LDAP solution. pam_group doesn't work for me: auth required/requisite pam_group.so no_warn group=mygroup Can anybody help or do have hints? Please remember I do not belon g to the 'questions' list, so please put me into your mail-cc. Regards, Oliver
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49F56337.8040900>