Just a comment: if you use OpenLDAP as servers, it is better to use
OpenLDAP as clients (I had tried SUN native LDAP client works as well,
but doubt that will remain in future Solaris releases/patches), but then
you are banking on OpenSource support and facing the massive efforts to
deploy (install/configure) OpenLDAP clients. SUN iDS5 and SUN native
LDAP client (built-in) may be a better choice.
There is a latest discovery w.r.t. "NetGroup" by Diego worth reading:
As netgroup does not work well with OpenLDAP, some people has reported
another mean that works: by using the "host" attribute in People
entries, and specifying "check host attribute" in PAM_LDAP's
/etc/ldap.conf. You may need to add the schema and objectclass
(account?) that provide this attribute. This works well if the # of
hosts or # of users is limited.
Pls search Google for "netgroup site:www.openldap.org", I think there
are some other tricks people play to the default search filter for
You may also find these articles informative:
I also heard from PAM mail list there is a something like
"pam_listusers" module (not sure the spelling) that could restrict
authenticated users list on a per host basis.