I have recently been using openLDAP on a server for authentication. I have user auth working happily, but when i try and enable group_membership, it is not enforced. When a user with the correct group membership logs in, everything is happy, but when a user without the membership logins a notice appears that says "You must be a memberUid of cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan to login.", but the user is still able to continue and login, and it is not enforcing the group membership.
Many thanks, for your help (again)
Here is my nss_ldap.conf (/etc/ldap.conf)
base dc=chocolate,dc=lan
suffix dc=chocolate,dc=lan
uri ldap://ldap.chocolate.lan
ldap_version 3
scope sub
timelimit 3
bind_timelimit 3
bind_policy soft
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_groupdn cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan
pam_member_attribute memberUid
pam_password clear
pam_password exop
nss_base_passwd ou=Users,dc=chocolate,dc=lan?sub
nss_base_passwd ou=Computers,dc=chocolate,dc=lan?sub
nss_base_shadow ou=Users,dc=chocolate,dc=lan?sub
nss_base_group ou=Nemo,ou=Group,dc=chocolate,dc=lan?sub
ssl on
ssl start_tls
tls_cacert /usr/local/etc/openldap/keys/cacert.crt
tls_checkpeer no
And my pam.d/sshd
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth required pam_unix.so no_warn use_first_pass
account required pam_nologin.so
account required pam_login_access.so
account optional pam_unix.so
account optional /usr/local/lib/pam_ldap.so
session required pam_permit.so
session optional /usr/local/lib/pam_ldap.so
password sufficient pam_unix.so no_warn use_first_pass