You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you don't use :abbr:`HBAC(Host-based access control)`, your `userbasedn` parameter may be specified without any additional filters, like:
243
+
You need `netgroupbasedn` parameter only if you use sudo with netgroups. If you don't use sudo with netgroups, you can drop the parameter.
244
+
245
+
The password to the GSKit certificate store (`ldapsslkeypwd`) can be encrypted using :command:`secldapclntd -e` command. But the option is not documented.
246
+
247
+
HBAC (Host-based access control)
248
+
--------------------------------
249
+
250
+
You can have **true** :abbr:`HBAC(Host-based access control)` using `pam_ipahbac <https://github.com/rseabra/pam_ipahbac/>`, after installation you place a `/etc/ipahbac.conf` file with the pam module's configuration:
244
251
245
252
::
246
253
247
-
userbasedn:cn=users,cn=accounts,dc=example,dc=com
254
+
-u YourSysAccount
255
+
-b dc=your,dc=domain
256
+
-P /etc/ldap.secret
257
+
-l ldaps://ldap1/,ldaps://ldap2/..
248
258
259
+
And add the following to `/etc/pam.cfg`:
249
260
250
-
You need `netgroupbasedn` parameter only if you use sudo with netgroups. If you don't use sudo with netgroups, you can drop the parameter.
261
+
::
251
262
252
-
The password to the GSKit certificate store (`ldapsslkeypwd`) can be encrypted using :command:`secldapclntd -e` command. But the option is not documented.
**Alternatively**, if you don't mind using a limited version of HBAC support, you can change your *userbasedn* field in **ldap.cfg** to check the user properties for being a member of a particular HBAC rule:
If you don't want to use HBAC, or prevent locked users from logging in, your `userbasedn` parameter may be specified without any additional filters, like:
0 commit comments