[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    Re: [pamldap] pam_check_host_attr for DHCP client
From:       Christian Hilty <christian.hilty () gmail ! com>
Date:       2012-06-22 20:20:06
Message-ID: 4FE4D376.40308 () gmail ! com
[Download RAW message or body]

Thanks! What you suggest works perfectly.
Chris

On 06/22/2012 12:03 PM, Chuck Theobald wrote:
> On 6/21/2012 10:59 PM, chris121 wrote:
>> Hi,
>> I have set up a small network of linux clients using LDAP 
>> authentication. I
>> need to selectively allow users access to various clients. The
>> pam_check_host_attr works well for this purpose, as long as the 
>> client has a
>> static IP address. Some of the clients unfortunately are DHCP, which 
>> means
>> that their hostname is not resolved by the DNS server. In this case, 
>> access
>> is denied if pam_check_host_attr is set to "yes" in pam_ldap.conf. Is 
>> there
>> any way of making host name checking work for DHCP clients?
>> Thanks!
>
> My approach to this has been to use pam_filter and the description 
> attribute on each machine's ldap.conf (or pam_ldap.conf) file. Each 
> user account then gets a description value according to the machines 
> to which they have access. Authorization is then controlled only by 
> the LDAP database and the pam settings, with no need to reference any 
> outside sources of information, e.g. DNS.
>

[prev in list] [next in list] [prev in thread] [next in thread]