Bug 163414
Summary: | how to restrict server logins | ||
---|---|---|---|
Product: | [Retired] 389 | Reporter: | Aaron Bliss <aaron> |
Component: | Unknown | Assignee: | Rich Megginson <rmeggins> |
Status: | CLOSED NOTABUG | QA Contact: | Orla Hegarty <ohegarty> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.1 | CC: | ohegarty |
Target Milestone: | --- | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-07-18 16:03:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Aaron Bliss
2005-07-16 00:30:19 UTC
Do you want to allow certain people to be able to login to certain hosts? This is done via the "host" attribute, a multi-valued attribute which holds the FQDN of the hosts you want to allow access to. You need to get this attribute into your users' entries. Many programs require that the user have the posixAccount and shadowAccount objectclasses (e.g. they do a search like (objectclass=posixAccount)), so you will need to add those objectclasses to your users' entries. The "host" attribute is in the "account" objectclass. Although it is a structural objectclass, FDS allows you to add it to an existing entry. However, this is not standard LDAP. A better way would be to create a new AUXILIARY objectclass (e.g. hostUser) and have the "host" attribute as an allowed attribute (MAY) of that objectclass. Then add the "hostUser" objectclass to your users. Aaron, On Fedora, put this into /etc/pam.d/system-auth: auth required /lib/security/pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/login_limit_list.conf In the login_limit_list.conf file list all the groups that are allowed to login. |