Am Mittwoch 02 Dezember 2009 15:09:27 schrieb Roger Oberholtzer:
On Wed, 2009-12-02 at 14:57 +0100, Ralf Haferkamp wrote:
Am Mittwoch 02 Dezember 2009 14:51:33 schrieb Roger Oberholtzer:
On Wed, 2009-12-02 at 14:20 +0100, Ralf Haferkamp wrote:
I see that the Ldap DN record will probably look like this:
CN=roropq,OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC
where CN= will obviously differ for all, but I think the rest will be the same. As you move to the left in the OU= list, the scope narrows. It is OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC that I want to restrict login to.
I understood. AFAIK this is currently not possible with winbind. I just learned however that you can restrict login based on groupmembership. Please have a look at the require_membership_of option for pam_winbind in the pam_winbind man-page. That way, if you put all the desired users into one group you could restrict login to be allowed only to members of that group.
Which begs the question:
How, in this context, do I put all users in the same group?
I am not sure if I understand you problem. But I would use the Windows MMC to create a new group (e.g. linux-user) and make all the desired users members of that group. Is there a problem with that?
Yes. The AD is company-wide, with thousands of members. They do not let folk play with it. Ok, I was (wrongly) assuming that you had administrative rights on the AD and were allowed to make changes there. Assuming that there is no way to restrict login with winbind to a specific OU (I don't think there is one, until winbind has some support for Group Policies, but that would require some administrative changes on the AD Server as well) I don't know a way to solve your problem. You could probably ask on the samba Mailinglist:
https://lists.samba.org/mailman/listinfo/samba (You could of course switch to pam_ldap/nss_ldap but I would try to avoid that when using AD)
Linux has to use the AD as it is. I think this is the way it usually is in an organization of any size.
In fact, they use the Novell Client for Windows for login. Perhaps there is something that can be used from that? So far, I have not come across anything. It seems the AD is the only authentication route available.
-- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org