Bug 163414 - how to restrict server logins
Summary: how to restrict server logins
Status: CLOSED NOTABUG
Alias: None
Product: 389
Classification: Retired
Component: Unknown   
(Show other bugs)
Version: 7.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Orla Hegarty
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-16 00:30 UTC by Aaron Bliss
Modified: 2007-04-18 17:29 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-18 16:03:50 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Aaron Bliss 2005-07-16 00:30:19 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 SUSE/1.0.4-1.1

Description of problem:
I'm not sure this is a bug more than lack of understanding however I couldn't find anywere else to post this, so here goes; I'm testing out the directory server on a few linux servers to be used for authentication however I can't seem to find a way to restict access to a server based on user or group memborship; is there a way to allow certain users to login into certain boxes but not others when authenticating against the directory server?

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try


Additional info:

Comment 1 Rich Megginson 2005-07-18 16:03:50 UTC
Do you want to allow certain people to be able to login to certain hosts?  This
is done via the "host" attribute, a multi-valued attribute which holds the FQDN
of the hosts you want to allow access to.  You need to get this attribute into
your users' entries.  Many programs require that the user have the posixAccount
and shadowAccount objectclasses (e.g. they do a search like
(objectclass=posixAccount)), so you will need to add those objectclasses to your
users' entries.  The "host" attribute is in the "account" objectclass.  Although
it is a structural objectclass, FDS allows you to add it to an existing entry. 
However, this is not standard LDAP.  A better way would be to create a new
AUXILIARY objectclass (e.g. hostUser) and have the "host" attribute as an
allowed attribute (MAY) of that objectclass.  Then add the "hostUser"
objectclass to your users.

Comment 4 Simon Ilyushchenko 2005-09-26 18:06:45 UTC
Aaron,

On Fedora, put this into /etc/pam.d/system-auth:

auth       required     /lib/security/pam_listfile.so onerr=fail item=group
sense=allow file=/etc/security/login_limit_list.conf

In the login_limit_list.conf file list all the groups that are allowed to login.



Note You need to log in before you can comment on or make changes to this bug.