Re: Host Checking

xianc wrote:

I am trying to limit where users can and cannot login. I would like avoid configuring individual hosts as mush as possible since I'm talking about close to 200 machines with over 300 users. The more I can do in LDAP, the better.
Currently, I have been working with the following setup:

On the clients, I have:
pam_check_host_attr yes
nss_base_netgroup       ou=netgroup,dc=example,dc=com?one

On the server:
dn: cn=staffhosts,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: staffhosts
nisNetgroupTriple: (compute1.cluster.net,-,)
nisNetgroupTriple: (compute2.cluster.net,-,)

dn: uid=user1,ou=people,dc=example,dc=com
cn: User1 Name
gidNumber: 10000
givenName: User1
homeDirectory: /home/uid1
loginShell: /bin/bash
sn: Name
uid: user1
uidNumber: ##########
userPassword: {SSHA}
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: extensibleObject
host: @staffhosts

This doesn't seem to work. Is there another way to call to this host group in user1's host entry? Will the host entry accept wildcards or regular expressions?

Ideally, I would like to create groups of hosts and allow users access to these groups. I know, I can set up TCP wrappers to do this, but the goal here is to have as much configuration as possible on the LDAP server and as little as possible on the client machine - these are dumb compute nodes that are regularly reinstalled and repurposed, so the fewer places I have to change a configuration, the better.

Thanks