On Wed, 2009-12-02 at 14:57 +0100, Ralf Haferkamp wrote:
On Wed, 2009-12-02 at 14:20 +0100, Ralf Haferkamp wrote:
I see that the Ldap DN record will probably look like this:
CN=roropq,OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC
where CN= will obviously differ for all, but I think the rest will be the same. As you move to the left in the OU= list, the scope narrows. It is OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC that I want to restrict login to.
I understood. AFAIK this is currently not possible with winbind. I just learned however that you can restrict login based on groupmembership. Please have a look at the require_membership_of option for pam_winbind in the pam_winbind man-page. That way, if you put all the desired users into one group you could restrict login to be allowed only to members of that group.
Which begs the question:
How, in this context, do I put all users in the same group? I am not sure if I understand you problem. But I would use the Windows MMC to create a new group (e.g. linux-user) and make all the desired users members of
Am Mittwoch 02 Dezember 2009 14:51:33 schrieb Roger Oberholtzer: that group. Is there a problem with that?
Yes. The AD is company-wide, with thousands of members. They do not let folk play with it. Linux has to use the AD as it is. I think this is the way it usually is in an organization of any size. In fact, they use the Novell Client for Windows for login. Perhaps there is something that can be used from that? So far, I have not come across anything. It seems the AD is the only authentication route available. -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org