PDA

View Full Version : restrict logins to certain users for SLES 11 SP1 ldap client



chaplina
13-Mar-2012, 20:56
Is it possible to configure a SLES 11 SP1 ldap client (ldap server is Sun/Oracle DSEE) to restrict logins to specific users/groups?

Thanks!

jmozdzen
15-Mar-2012, 18:31
Hi Chaplina,

yes, this is certainly possible.

One way is to create a "group" entry in your LDAP tree for your server "someserver", similar to

dn: cn=someserver,ou=hostaccess,ou=group,dc=company,dc =com
objectClass: top
objectClass: posixGroup
objectClass: groupOfNames
gidNumber: 999999
member: uid=userA,ou=people,dc=company,dc=com
member: uid=userB,ou=people,dc=company,dc=com
member: uid=userC,ou=people,dc=company,dc=com

where the member entries are the DN of the LDAP users to be granted access (not just "any" DNs - those must be the entries used to verify the authenticity of the users by the LDAP client).

On "someserver", configure the LDAP client (/etc/ldap.conf) to check that group:


pam_groupdn cn=someserver,ou=hostaccess,ou=group,dc=company,dc =com
pam_member_attribute member

Regards,
Jens