We have an ldap server and an ldap client in a domain. As part of the in-charge of a subdomain, I want to enable ldap logins for only some users on a particular machine, and want to disable the rest of the users. I DO NOT have adminisptrative access to the ldap server. Can it be done. If so, how?
e.g. machine1, all users enabled for ldap login machine2, only xyz, and pqr are allowed to login machine3, abc and def are not allowed, rest all are allowed.
In short, to allow/disallow a subset of users from accessing a particular ldap-client, without root/administrative privileges to the ldap server.
nsswitch.conf looks like this:
passwd: files ldap
shadow: files ldap
group: files ldap
Client runs Ubuntu 10.04 and OpenLDAP.
Thanks.
EDIT: Please note that although I'm proficient in linux, I'm very new to LDAP(don't even understand the terminology well), and hence an easy, simple and adhoc solution would be more welcome than an advanced solution.
Best Answer
You list information about the directory configuration but what you want is authorization configuration, i.e., PAM. You can accomplish what you want to do by using pam_listfile where you would list all the users that are allowed to log in in a file and add pam_listfile to the pam stack.