You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
But ldapsearch -x "(&(objectClass=posixAccount)(uid=myname)(host=_.group.company.com))" does work, where a host attribute value of '_.group.company.com' should allow access to all hosts with that domain name.
Explicitly putting pam_authz_search (&(objectClass=posixAccount)(uid=$username)(host=*.group.company.com)) ALSO works (when on an appropriate box), something about $dn.
confirmed 'hostname -d' on the commandline returns group.company.com, but unsure why the configuration above doesn't work.
$dn is indeed the LDAP distinguished name of the user. There is currently nothing like $domain in nslcd.conf although it shouldn't be too difficult to implement.
I'm having some problems replicating prior pam_check_host_attr=yes approaches where wildcards were used when going from Centos6 to Centos7.
The quick challenge is the following does not work:
pam_authz_search (&(objectClass=posixAccount)(uid=$username)(host=*.$dn))
But ldapsearch -x "(&(objectClass=posixAccount)(uid=myname)(host=_.group.company.com))" does work, where a host attribute value of '_.group.company.com' should allow access to all hosts with that domain name.
Explicitly putting pam_authz_search (&(objectClass=posixAccount)(uid=$username)(host=*.group.company.com)) ALSO works (when on an appropriate box), something about $dn.
confirmed 'hostname -d' on the commandline returns group.company.com, but unsure why the configuration above doesn't work.
Serverfault post: http://serverfault.com/questions/701867/centos7-pam-authz-search-for-group-company-com
nss-pam-ldapd-0.8.13-8.el7.x86_64 version with centos7.
The text was updated successfully, but these errors were encountered: