Using pam_filter in ldap.conf
Using ldap I am currently using "roles" for user authorization for access to target hosts. I add a host attribute to user's accounts where I define a "role" or set of "roles" that that is checked when a user attempts to login to a host.
On the hosts I modify ldap.conf as follows:
pam_filter &(objectclass=posixAccount) (host=<rule>)
If the user has the <rule> attribute defined in their ldap record, they get in, if not they are denied.
I am trying to find a way to do the same thing but on a group basis. I have groups defined in ldap with groupofuniquenames and the posixgroup object class.
If I add users to a group and add the host attribute to that group, I would like to use pam_filter to filter by posixAccount and posixGroup and host=<rule>.
Is this possible and if so how? I am not sure how to do this with pam_filter.
Thanks.
|