LDAP for logon authorization
I'm trying to get my Solaris 10 machine to use Kerberos/LDAP to authenticate users. The Kerberos is supposed to handle the user passwords, while LDAP handles the user information. I have both these elements working and can log in to my Solaris machine.
Problem is, I want to limit who can login to my Solaris 10 machine. At the moment anyone with a username/password in the KDC can login to the Solaris 10 machine, which is undesirable. I have created a group in the LDAP directory that contains the people I want to be able to login to the machine, but I can't initialize the LDAP client in a way that this group successfully keeps anyone with an account on the KDC from logging in. I'm using the native Solaris ldapclient.
I'm not that familiar with LDAP, so I may be missing something pretty basic. If you could point me in the right direction I would appreciate it. Thanks in advance.
The command I'm using to initialize the client is:
ldapclient -v manual -a credentialLevel=anonymous -a defaultSearchBase=dc=test,dc=com -a domainName=sub.test.com -a defaultServerList=192.168.1.2 -a "serviceSearchDescriptor=groups: ou=groups,dc=test,dc=com?one?&(cn=my_test_group)"
The nsswitch.conf file looks like this:
passwd: files ldap
group: files ldap
hosts: dns ldap [NOTFOUND=return] files
ipnodes: dns ldap [NOTFOUND=return] files
networks: ldap [NOTFOUND=return] files
protocols: ldap [NOTFOUND=return] files
rpc: ldap [NOTFOUND=return] files
ethers: ldap [NOTFOUND=return] files
netmasks: ldap [NOTFOUND=return] files
bootparams: ldap [NOTFOUND=return] files
publickey: ldap [NOTFOUND=return] files
netgroup: ldap
automount: files ldap
aliases: files ldap
services: files ldap
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
tnrhtp: files ldap
tnrhdb: files ldap
|