[olug] LDAP group authentication

[Adam Haeder]

I'm in the process of standardizing on openldap for authentication for all 
of my linux servers. I'm starting with Samba (most of my users are windows 
users, so they want to map drives) and then I'll move on to pam. 

The theory is that there will be one /etc/shadow, /etc/group and 
/etc/passwd. These will be the same across all servers, so UIDs and GIDs 
are standardized. Then the password and other info is stored in openldap.

I have this working now with samba on a few servers. I can successfully 
authenticate with no problem.

However, I have a question. Ideally, I'd like to be able to set, in the 
openldap server, what users have access to what servers. Samba has an 
option for an 'ldap filter' field in smb.conf, but I can't seem to come up 
with the right logic to make it work. What I'm doing is creating groups in 
openldap (objectClass=groupOfUniqueNames). I would like to say "only users 
in this group can authenticate against this server". I can't figure out 
how to make samba do that. 

Has anyone else done a setup like this? TIA

-- 
Adam Haeder
Assistant Vice President of Information Technology
AIM Institute
adamh at omaha.org
(402) 345-5025 x115
PGP Public key: http://www.omaha.org/~adamh/pgp.html