Thanks for the reply. That thread goes over everything I've tried to date.
Using the host attribute in the user's ldif entry works fine, but we're
controlling access to over a hundred hosts for over three hundred users.
Keeping track of that could become a real headache. Is there a way to
reference a netgroup in the host field. For example, I have:
dn: cn=staffhosts,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: staffhosts
nisNetgroupTriple: (compute1.cluster.net,-,)
nisNetgroupTriple: (compute2.cluster.net,-,)
Can I reference this group in the user entry? I've tried:
dn: uid=user1,ou=people,dc=example,dc=com
cn: User1 Name
gidNumber: 10000
givenName: User1
homeDirectory: /home/uid1
loginShell: /bin/bash
sn: Name
uid: user1
uidNumber: ##########
userPassword: {SSHA}
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: extensibleObject
host: @staffhosts
In the client's /etc/ldap/conf, I have:
pam_check_host_attr yes
nss_base_netgroup ou=netgroup,dc=example,dc=com?one
This didn't work. Any suggestions?
If I can't reference a netgroup, does the host attribute accept wildcards or
regular expressions?
On 3/5/09 11:37 AM, "Adam Williams" <[email protected]> wrote:
> http://www.nabble.com/restricting-users-to-certain-hosts--to15832812.html
>
> Christian Caruthers wrote:
>> I have been looking around for an answer to this for a few days. I have a
>> cluster of machines and I want to limit who can login where without messing
>> too much with config files on individual machines. I thought I could do
>> something using netgroups, but I've had little luck. So far, the only thing
>> that has worked is using "pam_check_host_attr yes" coupled with a list of
>> hosts in the user's entry. I've tried creating a netgroup of hosts and
>> referencing that in the host entry, but that didn't work. I'm trying to
>> avoid having to list out over a hundred hosts in a user's LDAP entry.
>>
>> Ideally, I would like to create groups of hosts and allow users access to
>> those host groups. Is there some documentation about the host declaration
>> that I'm missing?
>>
>> Sorry if this has been covered before, but I didn't see any area where I can
>> search the archive.
>>
>> Thanks
>>
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=++=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
>> Christian Caruthers, System Administrator, SSAI
>> NASA Langley Research Center Atmospheric Sciences Data Center
>> Mail Stop 157D
>> 2 South Wright St., Bldg. 1268C, Room 2303G
>> Hampton, VA 23681-2199
>> [email protected]
>> Phone: (757)864-7569 Mobile: (757)272-9583
>> http://eosweb.larc.nasa.gov Fax: (757)864-8807
>> +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
>>
>> "A common mistake that people make when trying to design something
>> completely foolproof is to underestimate the ingenuity of complete fools."
>>
>> - Douglas Adams
>>
>>
