I could really use some help with this. Does anyone see a problem with my setup?


From: mlstarling31@hotmail.com
To: openldap-technical@openldap.org
Subject: pam_check_host_attr
Date: Mon, 9 Jan 2012 15:58:10 -0500

I'm unable to get host checking to work. I have followed what I think are the correct steps but I still get "Access denied for this host" when I specify a server or the * wildcard for all servers.

The hostname command returns cadb5 so host lookups are working. Do you actually need a full blown DNS solution rather than host files to get this working?

RHEL 5.5
openldap-2.3.43-12.el5_6.7
nss_ldap-253-37.el5_6.1

/etc/openldap/slapd.conf
include         /etc/openldap/schema/ldapns.schema


/etc/ldap.conf
pam_check_host_attr yes



The users account has the hostObject class and the host attribute:

dn: uid=testuser,ou=admins,ou=ORG,ou=people,dc=test,dc=lott
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: hostObject
cn: testuser
sn: testuser
givenName: testuser
uid: testuser
uidNumber: 1002
gidNumber: 512
homeDirectory: /home/testuser
loginShell: /bin/bash
gecos: Infrastructure Engineer
structuralObjectClass: inetOrgPerson
entryUUID: 79bc2d6e-7f0b-1030-9efe-3f6966a39ce0
creatorsName: cn=root,dc=test,dc=lott
createTimestamp: 20110929172322Z
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: mphan
sambaSID: S-1-5-21-590332452-794431873-1853597743-3004
sambaPrimaryGroupSID: S-1-5-21-590332452-794431873-1853597743-512
sambaLogonScript: logon.bat
sambaProfilePath: \\FTP3\profiles\testuser
sambaHomePath: \\FTP3\testuser
sambaHomeDrive: H:
sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sambaAcctFlags: [U]
sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sambaPwdLastSet: 1326133136
sambaPwdMustChange: 1333909136
userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
shadowLastChange: 15348
shadowMax: 90
pwdChangedTime: 20120109181856Z
pwdHistory: 20120109181856Z#1.3.6.1.4.1.1466.115.121.1.40#8#{crypt}x
host: cadb5
entryCSN: 20120109193817Z#000000#00#000000
modifiersName: uid=ldapmgr,ou=people,dc=test,dc=lott
modifyTimestamp: 20120109193817Z



Relevant system-auth file:

auth        required      pam_env.so
auth        sufficient    pam_ldap.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password    sufficient    pam_unix.so shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
session     required      pam_mkhomedir.so skel=/etc/skel umask=0027