Hi,
I'm using pam_groupdn for restricting access to some for my servers, by defining user groups as follows.
/etc/ldap.conf (Redhat 5.5) # Group to enforce membership of pam_groupdn cn=group1,ou=Group,dc=example,dc=com # Group member attribute pam_member_attribute memberUid
This works only if the pam_member_attribute is in following format.
memberUid: uid=user1,ou=People,dc=example,dc=com memberUid: uid=user2,ou=People,dc=example,dc=com
Simply memberUid: user1 is not working, is there any way to fix this.
Second, if a user which dose not belong to this group tries to login server,
access is denied by displaying following message.
You must be a memberUid of cn=group1,ou=Group,dc=example,dc=com to login. Connection closed by x.x.x.x
Is it possible to change this message ?
Thanks & Regards,
Meghanand N. Acharekar
On 02/17/2011 09:12 AM, Meghanand Acharekar wrote:
Hi,
I'm using pam_groupdn for restricting access to some for my servers, by defining user groups as follows.
/etc/ldap.conf (Redhat 5.5) # Group to enforce membership of pam_groupdn cn=group1,ou=Group,dc=example,dc=com # Group member attribute pam_member_attribute memberUid
This works only if the pam_member_attribute is in following format.
memberUid: uid=user1,ou=People,dc=example,dc=com memberUid: uid=user2,ou=People,dc=example,dc=com
Simply memberUid: user1 is not working, is there any way to fix this.
I believe pam_member_attribute will always refer to an attribute containing users DNs. Take a look at the RFC2307bis support.
Second, if a user which dose not belong to this group tries to login server, access is denied by displaying following message.
You must be a memberUid of cn=group1,ou=Group,dc=example,dc=com to login. Connection closed by x.x.x.x
Is it possible to change this message ?
In /etc/pam.d/common-account, for the pam_ldap.so line, use the following:
account required pam_ldap.so ignore_authinfo_unavail ignore_unknown_user no_warn
Regards,
Hugo Monteiro.
On Thu, Feb 17, 2011 at 4:44 PM, Hugo Monteiro hugo.monteiro@fct.unl.ptwrote:
On 02/17/2011 09:12 AM, Meghanand Acharekar wrote:
Hi,
I'm using pam_groupdn for restricting access to some for my servers, by defining user groups as follows.
/etc/ldap.conf (Redhat 5.5) # Group to enforce membership of pam_groupdn cn=group1,ou=Group,dc=example,dc=com # Group member attribute pam_member_attribute memberUid
This works only if the pam_member_attribute is in following format.
memberUid: uid=user1,ou=People,dc=example,dc=com memberUid: uid=user2,ou=People,dc=example,dc=com
Simply memberUid: user1 is not working, is there any way to fix this.
I believe pam_member_attribute will always refer to an attribute containing users DNs. Take a look at the RFC2307bis support.
Second, if a user which dose not belong to this group tries to login server, access is denied by displaying following message.
You must be a memberUid of cn=group1,ou=Group,dc=example,dc=com to login. Connection closed by x.x.x.x
Is it possible to change this message ?
In /etc/pam.d/common-account, for the pam_ldap.so line, use the following:
account required pam_ldap.so ignore_authinfo_unavail ignore_unknown_user no_warn
Thanks, Its working as I expected.
Regards,
Hugo Monteiro.
-- fct.unl.pt:~# cat .signature
Hugo Monteiro Email : hugo.monteiro@fct.unl.pt Telefone : +351 212948300 Ext.15307 Web : http://hmonteiro.net
Divisão de Informática Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa Quinta da Torre 2829-516 Caparica Portugal Telefone: +351 212948596 Fax: +351 212948548www.fct.unl.pt apoio@fct.unl.pt
fct.unl.pt:~# _
Thanks,
Meghanand
openldap-technical@openldap.org
-
Hugo Monteiro -
Meghanand Acharekar