CentOS

I've set up an openldap server and created some posix accounts in it. The clients are CentOS & RedHat servers. All the users defined in the ldap are able to log on any client and that's my problem.

Some of the users should be able to log only on some clients not all of them. Here is an example:

a few users : User1, User2, User3
a few clients : server1, server2, server3.

Now every users can connect on every clients, what i want is :
User1, User3 can connect on every server
User2 can only connect on server2

Is there a way to do that ? Maybe is there an attribute where i could put a list of allowed servers for a posixaccount ?

Regards

I think there is a "host" ldap attribute in some account schema, but it requires
that the pam (in /etc/ldap.conf) in each server has been told to check that
attribute.

Start by reading the comments from the /etc/ldap.conf. Or have you moved
on to using the sssd?

I haven't move to sssd yet ... I'll look for the host attribute.

Thx

I think you can use "pam_filter" for that in "/etc/ldap.conf" to require the user to be part of a specific group. That way you can even manage access from your LDAP directory.

Yes. https://help.ubuntu.com/community/LDAPClientAuthentication