On Thu, Feb 17, 2011 at 4:44 PM, Hugo Monteiro <hugo.monteiro@fct.unl.pt> wrote:
On 02/17/2011 09:12 AM, Meghanand Acharekar wrote:

Hi,

I'm using pam_groupdn for restricting access to some for my servers,
by defining user groups as follows.

/etc/ldap.conf (Redhat 5.5)
# Group to enforce membership of

pam_groupdn cn=group1,ou=Group,dc=example,dc=com
# Group member attribute
pam_member_attribute memberUid

This works only if the pam_member_attribute is in following format.

memberUid: uid=user1,ou=People,dc=example,dc=com
memberUid: uid=user2,ou=People,dc=example,dc=com

Simply memberUid: user1 is not working, is there any way to fix this.


I believe pam_member_attribute will always refer to an attribute containing users DNs. Take a look at the RFC2307bis support.


Second, if a user which dose not belong to this group tries to login server,
access is denied by displaying following message.

You must be a memberUid of cn=group1,ou=Group,dc=example,dc=com to login.
Connection closed by x.x.x.x

Is it possible to change this message ?


In /etc/pam.d/common-account, for the pam_ldap.so line, use the following:

account     required      pam_ldap.so ignore_authinfo_unavail ignore_unknown_user no_warn


 
Thanks,
Its working as I expected.

Regards,

Hugo Monteiro.
-- 
fct.unl.pt:~# cat .signature

Hugo Monteiro
Email	 : hugo.monteiro@fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web      : http://hmonteiro.net

Divisão de Informática
Faculdade de Ciências e Tecnologia da
		   Universidade Nova de Lisboa
Quinta da Torre   2829-516 Caparica   Portugal
Telefone: +351 212948596   Fax: +351 212948548
www.fct.unl.pt                apoio@fct.unl.pt

fct.unl.pt:~# _
Thanks,
Meghanand