LDAP: How to restrict login to certain hosts?
807573Apr 11 2007 — edited Apr 12 2007Hello.
I've got the LDAP client from Sun installed and going on a Solaris 10 machine. Now I'd like to "tune" it a bit...
One thing I'd like to be able to do, is that I'd like to be able to restrict to which machines a user can login to. With the PADL.com LDAP software, that's pretty easy to achieve. All that needs to be done is to add a "host" attribute to an object in the LDAP and set a configuration variable in its /etc/ldap.conf (pam_check_host_attr yes). What'll happen is, that pam_ldap client of PADL will then also check the "host" attribute and return failure, if the machine being logged in to isn't listed in this multi value.
What I'd like to achieve, is that I'd have ALL my users in the LDAP. But I would like user "joe" to be able to logon to machine "winds06" and "winds05". Example user "brian" should only be allowed to login to "winds05". I'd like to be able to tune this at the LDAP side, so that it's easy to allow "brian" later on to login to "winds05" as well, or to revoke the login right to "winds05" from "joe".
How would I get a behaviour sort of like this with the LDAP client from Sun?
Thanks,
Alexander Skwar