I'm currently trying to get group based login working with little success using pam_groupdn on CentOS. Currently, any existing LDAP user is allowed to login to the system, but it does throw the error: "You must be a member of cn=login,ou=Group,dc=mydomain,dc=com to login." I would like to deny logins for any ldap users unless they exist in the specified group (in this case, cn=login,ou=Group,dc=mydomain,dc=com). Can anyone tell me what I'm doing wrong or point me toward some documentation?
/etc/ldap.conf: uri ldaps://ldap.mydomain.com base dc=mydomain,dc=com binddn cn=user,ou=People,dc=mydomain,dc=com bindpw password bind_policy soft pam_password md5 pam_login_attribute userID pam_groupdn cn=login,ou=Groups,dc=mydomain,dc=com pam_member_attribute member pam_lookup_policy yes tls_checkpeer no ssl on
LDAP login group: dn: cn=login,ou=Group,dc=mydomain,dc=com objectClass: top objectClass: posixGroup cn: login description: login group gidNumber: 100 memberUid: user1 memberUid: user2