I was recently tasked with trying to set some servers up to do LDAP auth to our existing LDAP db (OpenLDAP on a Mandriva MDS server running MMC to manage it).
I managed to get it somewhat working, in that I can login and authenticate based on ldap credentials, but now any user can login and I'd like to be able to set up tighter ACLs than that.
I tried setting pam_check_host_attr = yes in ldap.conf on the client machine. I tried adding the ldapns.schema to the openldap on our server, but I'm at a loss on how to get anything into MMC. Ideally I don't want to have to go into the command line every time I want to manage a user, but even being able to do that would be an improvement at this point.
In addition to this, I can still login to the client machine with any ldap account right now, which makes me think there is some kind of 'if no hosts are defined, default to allowing them in' policy that I dislike. Is there a way to change this?
Is there a better way to do what I'm trying to do entirely? (global list of logins, but with the ability to say only certain users get in to specific servers)
