May 26, 2008 Leave a comment
These are some things I recently ran into when trying to restrict a certain ldap user to a certain number of hosts.
For example, at the school we have a cluster where we may only want the parallel processing students to have access, cadence where we may only want vlsi students to have access, and our main server where we want everyone to have access.
Here’s the preliminary way that seems to work. Here, I assume most of your ldap is setup.
First, add the account objectclass to your user. You may need to do some mangling here (for example if you use the inetorgperson objectclass). You can create your own joined schema for this. The reason you want the account objectclass is so you have access to the host attribute.
Next, for every user, add the restricted hosts you want that user to have access to. For example, for the cluster I add a host=skynet.coe.isu.edu attribute.
Finally, on skynet.coe.isu.edu, in ldap.conf, add
Then on our main server do not add these, as these entries only restrict access to users with the applicable host attributes.