On Wed, 2009-12-02 at 11:52 +0100, Ralf Haferkamp wrote:
I think you are mixing up a few things here. As far as I understood Roger he was using the Windows Domain Membership YaST Module to join an openSUSE Client into a Windows AD Domain. That does neither use pam_ldap or nss_ldap or nss- ldapd. It is using winbindd (and it's nss/pam modules), which is the preferred way to become a member in an Active Directory enviroment as winbind knows much better how to handle some of the quirks and "features" of Active Directory than the generic ldap modules do.
I am indeed using SAMBA's winbind, as set up via YaST.
As for the original Question, I don't know exactly if/how it is possible to restrict login on certain host to certain users/groups with winbind. Probably one of our samba experts does. Lars?
I see that the Ldap DN record will probably look like this:
CN=roropq,OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC
where CN= will obviously differ for all, but I think the rest will be the same. As you move to the left in the OU= list, the scope narrows. It is OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC that I want to restrict login to. I understood. AFAIK this is currently not possible with winbind. I just learned however that you can restrict login based on groupmembership. Please have a look at the require_membership_of option for pam_winbind in the
Am Mittwoch 02 Dezember 2009 12:19:53 schrieb Roger Oberholtzer: pam_winbind man-page. That way, if you put all the desired users into one group you could restrict login to be allowed only to members of that group. -- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org