Well..I set this up on a new system and it works flawlessly . The only difference in the environments is the kernel version.
The one that works is 2.6.18-194.17.4.el5. The one that doesn't is 2.6.18-194.el5.
Ah well. Must be a bug that need to be upgraded in one the packages.
From: mlstarling31@hotmail.com To: openldap-technical@openldap.org Subject: RE: pam_check_host_attr Date: Tue, 10 Jan 2012 09:10:32 -0500
I could really use some help with this. Does anyone see a problem with my setup?
From: mlstarling31@hotmail.com To: openldap-technical@openldap.org Subject: pam_check_host_attr Date: Mon, 9 Jan 2012 15:58:10 -0500
I'm unable to get host checking to work. I have followed what I think are the correct steps but I still get "Access denied for this host" when I specify a server or the * wildcard for all servers.
The hostname command returns cadb5 so host lookups are working. Do you actually need a full blown DNS solution rather than host files to get this working?
RHEL 5.5 openldap-2.3.43-12.el5_6.7 nss_ldap-253-37.el5_6.1
/etc/openldap/slapd.conf include /etc/openldap/schema/ldapns.schema
/etc/ldap.conf pam_check_host_attr yes
The users account has the hostObject class and the host attribute:
dn: uid=testuser,ou=admins,ou=ORG,ou=people,dc=test,dc=lott objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount objectClass: hostObject cn: testuser sn: testuser givenName: testuser uid: testuser uidNumber: 1002 gidNumber: 512 homeDirectory: /home/testuser loginShell: /bin/bash gecos: Infrastructure Engineer structuralObjectClass: inetOrgPerson entryUUID: 79bc2d6e-7f0b-1030-9efe-3f6966a39ce0 creatorsName: cn=root,dc=test,dc=lott createTimestamp: 20110929172322Z sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: mphan sambaSID: S-1-5-21-590332452-794431873-1853597743-3004 sambaPrimaryGroupSID: S-1-5-21-590332452-794431873-1853597743-512 sambaLogonScript: logon.bat sambaProfilePath: \FTP3\profiles\testuser sambaHomePath: \FTP3\testuser sambaHomeDrive: H: sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx sambaAcctFlags: [U] sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx sambaPwdLastSet: 1326133136 sambaPwdMustChange: 1333909136 userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx shadowLastChange: 15348 shadowMax: 90 pwdChangedTime: 20120109181856Z pwdHistory: 20120109181856Z#1.3.6.1.4.1.1466.115.121.1.40#8#{crypt}x host: cadb5 entryCSN: 20120109193817Z#000000#00#000000 modifiersName: uid=ldapmgr,ou=people,dc=test,dc=lott modifyTimestamp: 20120109193817Z
Relevant system-auth file:
auth required pam_env.so auth sufficient pam_ldap.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 password sufficient pam_unix.so shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session required pam_mkhomedir.so skel=/etc/skel umask=0027