[ale] disabled accounts and pam

Stephen J. Pellicer spellicer at 8thlayer.net
Wed Jun 27 18:31:26 EDT 2001


One technique I've seen popping up in tools is to add an allowed hostname
attribute to the user (I forgot what the attribute was named). Then, if you
are using nss_ldap and pam_ldap, in your /etc/ldap.conf you can set:
pam_filter allowedhost=hostname
The pam_filter setting is AND'ed with uid=username to find the object in
your directory. This style is especially useful for using a central ldap
server to centralize authentication for many systems. Access control is
controlled by the presence of the attribute. I haven't looked at the
functionality to see if you can do an disallowedhost!=hostname and my ldap
filterstring building isn't quite up to snuff.
I'm not sure what your access control on your directory is, but you'd
obviously want to make sure that non administrative authenticated users are
not allowed to change allowedhost attributes (or whatever you end up naming
it).

Hope this is what you were looking for,
Stephen

-----Original Message-----
From: owner-ale at ale.org [mailto:owner-ale at ale.org]On Behalf Of Dan
To: ale at ale.org
Newcombe
Sent: Wednesday, June 27, 2001 3:22 PM
To: ALE
Subject: [ale] disabled accounts and pam



I have a RH7.1 system setup.  It has OpenLDAP running on it, and the
nss_ldap module has been setup as well, so that most users are in the LDAP
server, not /etc/passwd.

All this works fine.

What I'm looking for is a way to disable users that does not involve
deleteing the accounts.  I was hoping for something as simple for nss_ldap
or pam_ldap that would let me give it an LDAP object to look at for a
particular dn (something like isAccountDisabled) and based on the result
allow access or not.

However, both pam_ldap and nss_ldap seems to just care if the password
matches or not.

Does anyone know of a ready-to-go solution to this?  I don't really wann
have to write my own pam_ldap module to check this one thing if possible!

Thanks!
	-Dan

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message
body.

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list