Roger Oberholtzer wrote:
On Tue, 2009-12-01 at 20:18 +0100, Joachim Schrod wrote:
Roger Oberholtzer wrote:
On Fri, 2009-11-20 at 22:28 +0100, Lars Müller wrote:
On Wed, Nov 18, 2009 at 05:09:21PM +0100, Roger Oberholtzer wrote:
We have thousands of users in the Active Directory. I really do not want all of them to have access. In the LDAP entry, there is a OU= field for those I want to be able to log in. Is it possible to limit login to those in some specified OU= ?
See the ldap setting examples from the samba-doc package in /usr/share/doc/packages/samba/examples/smb.conf.SUSE
Plus the explanations in the smb.conf man page.
I have now looked here. I am none the wiser.
I didn't notice the original thread. If you want to limit LDAP authentication to an OU, you need to change ldap.conf and adapt nss_base_* there. (That's the conf file used by pam_ldap.)
If all persons are below the OU, that's easy, you need to specify the respective new base DN. If not, you need to specify that as an filter, then it gets a bit more complex, but the commented config clauses in this file should give you an hint.
If you want the other uids to be invisible, you also need to change nss-ldap.conf and change "base *" there.
I don't know enough about your setup to be more specific. I also don't know if that can be done via yast.
All the users share OU=RST. I want to limit valid users to those who have this.
OU=RST is usually something in the mid of the whole tree. You need to know the stuff after OU=RST as well. If you know it, do as follows: -- check that pam_ldap is used: grep for it in /etc/pam.d/*. If it appears there, everything's ok. -- Edit /etc/ldap.conf: There is base specified, at the start. This is called the base DN. Check further if nss_base_passwd is commented out or not. You need to use that clause, and supply your complete DN there, include OU=RST. (Maybe only prepend OU=RST, maybe there is some ou=people to prepend before OU=RST or insert inbetween it and the base dn.) Do the same for nss_base_shadow. If that does not work, or if you don't know the complete full DN of your people LDAP tree, you'll have to use ldapsearch to find out if you can access your account. If you don't know ldapsearch, ask here. Basically an ldapsearch call looks like ldapsearch -x -h puma -b ou=people,dc=npc,dc=de -s one \ uid=schrod and should give some output. (puma is the name of my LDAP server, schrod my login name.) If not, try it with sAMAccountName=schrod; AFAIR for some versions of AD sAMAccountName is used as the uid attribute name. That should actually be configured in ldap.conf as well, as nss_map_attribute or pam_login_attribute. If ldap.conf has a clause "ssl start_tls", you'll probably also need to add -ZZ to ldapsearch. Maybe leave "-s one" off, then it will search the whole tree from the base DN, that should give a result with information where the account records are stored in the LDAP tree. Furthermore: -- If rcnslcd is running (new since 11.1 w/ updates), you might want to configure nss-ldap.conf as well. This is used for name and uid lookup, so if you leave it as is, the other uids will still be visible, even though they can't log in. Or maybe that's what you want, YMMV. Good luck, Joachim PS: Tomorrow I'm the whole day at a client, so I'm not going to answer further emails before Thursday. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org