https://community.hpe.com/t5/operating-system-linux/login-authenication/m-p/3849328#M24846 thx reply ,<BR /><BR />I have already follow the admin guide to setup it , add the below to the config file , but it is strange that when I use telnet to access the system , it pop "Access denied for this host" , but to still accept me to access the system , can advise why the system not deny me to access ? thx <BR /><BR /><BR />#vi /etc/ldap.conf<BR />pam_check_host_attr yes<BR /><BR />#vi /etc/pam.d/system-auth<BR />auth required /lib/security/pam_nologin.so<BR />auth required pam_env.so<BR />auth required /lib/security/pam_unix.so nullok shadow use_first_pass<BR />auth sufficient /lib/security/pam_ldap.so<BR />auth required pam_deny.so<BR /><BR />account required /lib/security/pam_unix.so<BR />account sufficient pam_localuser.so<BR />account sufficient /lib/security/pam_ldap.so<BR />#account sufficient [default=bad success=ok user_unknown=ignore service_err=igno<BR />re system_err=ignore] /lib/security/$ISA/pam_ldap.so<BR /><BR />#account [success=done new_authtok_reqd=done perm_denied=bad default=ignore] pam<BR />_ldap.so<BR /><BR />password required /lib/security/pam_cracklib.so retry=3<BR />password required /lib/security/pam_unix.so nullok use_authtok shadow md5<BR />password sufficient pam_ldap.so use_authtok use_first_pass<BR />password required pam_deny.so<BR /><BR />session required pam_limits.so<BR />session required pam_unix.so<BR />session required pam_mkhomedir.so skel=/etc/skel/ umask=0066 Sun, 03 Sep 2006 12:01:36 GMT hangyu 2006-09-03T12:01:36Z https://community.hpe.com/t5/operating-system-linux/login-authenication/m-p/3849324#M24842 I have three server which are 192.168.0.1 , 192.168.0.2 , 192.168.0.3 , <BR />and have already setup the openldap authentication while 192.168.0.1 is <BR />the master ldap server , now the user can authenticate via the ldap <BR />then access the servers, however , some users should not be allowed to <BR />login 192.168.0.2 , but now they can login this server via the ldap as <BR />the ldap server accept the authentication , for example , the user run <BR />'ssh 192.168.0.2' , the ldap accept the authentication then allow the <BR />user to login this server , can advise how to forbid the unauthorized <BR />user can access 192.168.0.2' ? thx Wed, 23 Aug 2006 20:19:08 GMT https://community.hpe.com/t5/operating-system-linux/login-authenication/m-p/3849324#M24842 hangyu 2006-08-23T20:19:08Z https://community.hpe.com/t5/operating-system-linux/login-authenication/m-p/3849325#M24843 If you are using pamldap and libnss-ldap you can setup it up on each box to filter out which userid are available on each box.<BR /><BR />For eg on 192.168.0.2<BR /><BR />change the ldap search filters to only allow certain userids, based on some attribute. Thu, 24 Aug 2006 01:19:11 GMT https://community.hpe.com/t5/operating-system-linux/login-authenication/m-p/3849325#M24843 Alexander Samad 2006-08-24T01:19:11Z https://community.hpe.com/t5/operating-system-linux/login-authenication/m-p/3849326#M24844 thx Alexander Samad ,<BR /><BR />If so , I need to set the deny / accept list in all servers once I have created a user ? and could you point me to the doc for the setting ? thx Thu, 24 Aug 2006 06:01:41 GMT https://community.hpe.com/t5/operating-system-linux/login-authenication/m-p/3849326#M24844 hangyu 2006-08-24T06:01:41Z https://community.hpe.com/t5/operating-system-linux/login-authenication/m-p/3849327#M24845 This is a good document.<BR /> Thu, 24 Aug 2006 09:10:21 GMT https://community.hpe.com/t5/operating-system-linux/login-authenication/m-p/3849327#M24845 Ivan Ferreira 2006-08-24T09:10:21Z https://community.hpe.com/t5/operating-system-linux/login-authenication/m-p/3849328#M24846 thx reply ,<BR /><BR />I have already follow the admin guide to setup it , add the below to the config file , but it is strange that when I use telnet to access the system , it pop "Access denied for this host" , but to still accept me to access the system , can advise why the system not deny me to access ? thx <BR /><BR /><BR />#vi /etc/ldap.conf<BR />pam_check_host_attr yes<BR /><BR />#vi /etc/pam.d/system-auth<BR />auth required /lib/security/pam_nologin.so<BR />auth required pam_env.so<BR />auth required /lib/security/pam_unix.so nullok shadow use_first_pass<BR />auth sufficient /lib/security/pam_ldap.so<BR />auth required pam_deny.so<BR /><BR />account required /lib/security/pam_unix.so<BR />account sufficient pam_localuser.so<BR />account sufficient /lib/security/pam_ldap.so<BR />#account sufficient [default=bad success=ok user_unknown=ignore service_err=igno<BR />re system_err=ignore] /lib/security/$ISA/pam_ldap.so<BR /><BR />#account [success=done new_authtok_reqd=done perm_denied=bad default=ignore] pam<BR />_ldap.so<BR /><BR />password required /lib/security/pam_cracklib.so retry=3<BR />password required /lib/security/pam_unix.so nullok use_authtok shadow md5<BR />password sufficient pam_ldap.so use_authtok use_first_pass<BR />password required pam_deny.so<BR /><BR />session required pam_limits.so<BR />session required pam_unix.so<BR />session required pam_mkhomedir.so skel=/etc/skel/ umask=0066 Sun, 03 Sep 2006 12:01:36 GMT https://community.hpe.com/t5/operating-system-linux/login-authenication/m-p/3849328#M24846 hangyu 2006-09-03T12:01:36Z