Thanks Howard, Could you point me to some good documentation or HowTos on that? Which version of OpenLDAP should I have installed on server/client machine or is there any separate rpm or pkg to be installed to get started with it ?
Thanks Shamika
On Tue, Dec 8, 2009 at 4:23 AM, Howard Chu hyc@symas.com wrote:
Joe Friedeggs wrote:
Use pam_groupdn
pam_groupdn<groupdn> Specifies the distinguished name of a group to which a user must belong for logon authorization to succeed. For example:
pam_groupdn cn=accessGroupServer1,ou=host_ssh_access,dc=example,dc=net
I am not sure if you can specify multiple groups, you'll have to play with it.
This question concerns pam-ldap and belongs on the pam-ldap mailing list.
No, pam_groupdn does not support multiple groups.
If you want to actually discuss something relevant to OpenLDAP, then switch to OpenLDAP's nssov overlay, which has full support for arbitrary host / group / ACL-based login authorization.
Thanks,
Joe
Date: Mon, 7 Dec 2009 18:26:57 +0530 Subject: Re: restrict host login based on group From: shamika.joshi@gmail.com To: adam@gradientzero.com CC: serge.fonville@gmail.com; jarbas.junior@gmail.com; openldap-technical@openldap.org
I've been fighting with this since long time now. Reading posts& archieves, having no luck beyond this point.......but now a bit desperate to get this done as I am running out of time now.
Any help in this matter is truly appreciated. I attempted to use following ldap.conf settings, but still get auth failures upon doing ssh w/ ldap user.
host 172.16.135.43 base dc=test,dc=com uri ldap://172.16.135.43 ldap_version 3
timelimit 120 bind_timelimit 120 idle_timelimit 3600 #pam_filter host=x15ubuntu pam_filter host=*
pam_check_host_attr yes pam_password crypt bind_policy soft nss_base_passwd ou=Users,dc=test,dc=com?one nss_base_shadow ou=Users,dc=test,dc=com?one nss_base_group ou=Group,dc=test,dc=com?one
nss_base_hosts ou=Hosts,dc=test,dc=com?one nss_initgroups_ignoreusersavahi,avahiautoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid, list,lp,mail,man,messagebus,netdirector,news,postgres,proxy,pulse,root,saned,speech-dispatcher,sshd,sync,sys,syslog,uucp,www-data
nsswitch.conf
passwd: files ldap shadow: files ldap
group: files ldap hosts: files ldap dns
"getent" for the user "shamika returns correct information from LDAPserver
[root@x15f12 security]# getent passwd shamika shamika:x:503:55:Shamika J:/home/shamika:/bin/bash [root@x15f12 security]# getent shadow shamika shamika:*:14568::::::
[root@x15f12 security]# getent group sysadmin
sysadmin:*:100:uid=ldap1,ou=Users,dc=test,dc=com,uid=ldap2,ou=Users,dc=test,dc=com,uid=shamika,ou=Users,dc=test,dc=com
No user can login even when I set pam_filter host=* , but if I comment out pam_fiilter it allows all ldap users to login via ssh.
Here is snapshot from /var/log/secure Dec 7 18:12:26 x15f12 sshd[19642]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=shamika Dec 7 18:12:28 x15f12 sshd[19642]: Failed password for shamika from ::1 port 54884 ssh2
Dec 7 18:12:29 x15f12 sshd[19643]: Connection closed by ::1
Here is my /pam.d/sshd file #%PAM-1.0 auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so
Thanks Shamika
=============================================================================================
2009/12/4 Shamika Joshi>
Hi all, I'm stuck in the same issue as Serge Fonville. I have created new Auxiliary objectclass 'testobj' with 'host' attribute& added it to the ou=Groups.Then created 2 entries under Groups as below& assigned members to those groups.
dn: cn=qagroup,ou=Groups,dc=test,dc=com cn: qagroup gidNumber: 4 objectClass: posixGroup objectClass: testobj host: x15f12.test.com
memberUid: uid=ldap1,ou=Users,dc=test,dc=com
memberUid: uid=ldap2,ou=Users,dc=test,dc=com
dn: cn=admin,ou=Groups,dc=test,dc=com cn: admin gidNumber: 0 objectClass: posixGroup objectClass: testobj host: x15ubuntu.test.com
memberUid: uid=ldap3,ou=Users,dc=test,dc=com memberUid: uid=ldap4,ou=Users,dc=test,dc=com
Now which parameter in ldap.conf or any other files I host machine should I modify and how, so that members from qagroup or admin groups only get access to host mentioned in their respective attributes ??
Thanks in advance Shamika
2009/12/3 Adam Hough>
Or you can create your own Aux. object class that includes the host
attribute then you just have to modify the ldap.conf for the machine to
restrict user authentication.
- Adam
On Thu, 2009-12-03 at 10:48 -0300, Jarbas Peixoto Júnior wrote:
If you are using ssh and pam can be done like this:
# tail /etc/ssh/sshd_config
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
# Restringir acesso ao grupo local 'suporte' e a grupos LDAP
AllowGroups suporte "SSH UDSL"
where "SSH UDSL" is a Group in LDAP, and "suporte" is a local group.
2009/12/3 Serge Fonville>:
Hi,
While setting up an LDAP server. I noticed that it is not possible to
add a host attribute to a posixGroup.
Is there a way to limit a user what host they can logon to based on
their group membership?
Thanks in advance
Regards,
Serge Fonville
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/