THE TRUST MODEL IDEA

Trust model:

The client must honor these atributes with the following filter in
/etc/ldap.conf

pam_filter objectclass=posixAccount)(|(trustmodel=fullaccess)(accessto=<my server>)

so account entries containing the attribute trustModel = fullaccess
grants access all the time, and those containing
trustModel = byserver require an accessTo attribute
containing <my server> to allow access to that server

Example: like this:

/snip ldap.conf/
pam_filter objectclass=posixAccount)(|(trustmodel=fullaccess)(accessto=mailserver)
/end snip/

would accept users with trustModel=fullaccess or users with accessTo=mailserver


note that this does not affect NSS, only PAM.

NOTE: For Debian GNU/Linux, there is some example schemas in
/usr/share/doc/directory-administrator/examples. Please include
them in your LDAP servers configuration file like this:

include /usr/share/doc/directory-administrator/examples/trustMode.schema-OpenLDAP1

or, if using OpenLDAP2:

include /usr/share/doc/directory-administrator/examples/trustMode.schema-OpenLDAP2

//Turbo Fredriksson

