Using "overlay dynlist" with Ubuntu Karmic 9.10 LDAP server using slapd.d (not slapd.conf) ?
Hi The desired implementation is to control user logins on different lab machines based on the project groups. Scenario: Bob is part of project group 'mars' & John is part of 'venus' then I have added lab machines x1-x3 to group 'mars' & y1-y3 to group venus. Now I want John to only access machines allocated for project 'mars' i.e x1 to x3 & John to access machines allocated for 'venus' i.e y1 to y3
I went through this linkhttp://www.hurricanelabs.com/september2009_login_security_using_openldap_and_pamlearned that it can be achieved using "overlay dynlist". Please correct me if I've got it wrong. However my lab server is Ubuntu 9.10 (karmic koala) and it is using slapd.d (not slapd.conf) So now if I want to attempt to use "overlay dynlist" how should I go about it? Has anyone done this before? Any help will be appreciated.
Thanks Shamika
Hi Shamika,
there are some examples in the faq-o-meter how to use dynlists. Take a look here. http://www.openldap.org/faq/data/cache/1209.html
Here is a example of my config to do this:
*cat /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb/** olcOverlay={0}dynlist.ldif* dn: olcOverlay={0}dynlist objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top objectClass: olcDynamicList olcOverlay: {0}dynlist olcDlAttrSet: {0}posixGroup labeledURI memberUid:uid
dn: cn=users,ou=People,ou=Groups,dc=example,dc=com structuralObjectClass: posixGroup objectClass: posixGroup objectClass: labeledURIObject objectClass: top memberUid: username1 memberUid: username2 memberUid: username3 memberUid: username4 memberUid: username5 cn: users gidNumber: 1100 labeledURI: ldap:///ou=Users,dc=example,dc=com?uid?sub?(objectClass=posixAccount)
if you have username1 to 5 in ou=Users,dc=example,dc=com with uid's like this and the objectClass posixAccount.
Maybe you can modify that to your needs.
Bye,
On Thu, Apr 1, 2010 at 15:19, Shamika Joshi shamika.joshi@gmail.com wrote:
Hi The desired implementation is to control user logins on different lab machines based on the project groups. Scenario: Bob is part of project group 'mars' & John is part of 'venus' then I have added lab machines x1-x3 to group 'mars' & y1-y3 to group venus. Now I want John to only access machines allocated for project 'mars' i.e x1 to x3 & John to access machines allocated for 'venus' i.e y1 to y3
I went through this linkhttp://www.hurricanelabs.com/september2009_login_security_using_openldap_and_pamlearned that it can be achieved using "overlay dynlist". Please correct me if I've got it wrong. However my lab server is Ubuntu 9.10 (karmic koala) and it is using slapd.d (not slapd.conf) So now if I want to attempt to use "overlay dynlist" how should I go about it? Has anyone done this before? Any help will be appreciated.
Thanks Shamika
Shamika Joshi shamika.joshi@gmail.com writes:
Hi The desired implementation is to control user logins on different lab machines based on the project groups. Scenario: Bob is part of project group 'mars' & John is part of 'venus' then I have added lab machines x1-x3 to group 'mars' & y1-y3 to group venus. Now I want John to only access machines allocated for project 'mars' i.e x1 to x3 & John to access machines allocated for 'venus' i.e y1 to y3
I went through this link learned that it can be achieved using "overlay dynlist". Please correct me if I've got it wrong. However my lab server is Ubuntu 9.10 (karmic koala) and it is using slapd.d (not slapd.conf) So now if I want to attempt to use "overlay dynlist" how should I go about it? Has anyone done this before? Any help will be appreciated.
ldapmodify -D cn=config -W -H ldap://some.host dn: cn={0}module,cn=config changetype: modify add: olcModuleLoad olcModuleLoad: dynlist.la
and ldapadd the following ldif, while olcDataBase and olcDlAttrSet may vary on your system.
dn: olcOverlay=dynlist,olcDataBase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: dynlist olcDlAttrSet: groupOfURLs memberURL
-Dieter
As you guys suggested, I attempted to load dynlist.la module, but it gives me folllowing error:
admins@x6:~$ ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: cn={0}module,cn=config changetype: modify add: olcModuleLoad olcModuleLoad: dynlist.lamodifying entry "cn={0}module,cn=config" *ldap_modify: No such object (32) matched DN: cn=config*
If I remove '{0}module,' from the dn it gives this error:
admins@x6:~$ admins@x6:~$ admins@x6:~$ ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: cn=config changetype: modify add: olcModuleLoad olcModuleLoad: dynlist.lamodifying entry "cn=config" *ldap_modify: Object class violation (65) additional info: attribute 'olcModuleLoad' not allowed*
I'm new to LDAP & dont have much knowldge about LDAP schema. Could you tell what must be causing this error? Pls check cn=config attached with this mail.
Thanks Shamika
On Thu, Apr 1, 2010 at 8:02 PM, Dieter Kluenter dieter@dkluenter.de wrote:
Shamika Joshi shamika.joshi@gmail.com writes:
Hi The desired implementation is to control user logins on different lab
machines based on
the project groups. Scenario: Bob is part of project group 'mars' & John is part of 'venus'
then I have added
lab machines x1-x3 to group 'mars' & y1-y3 to group venus. Now I want
John to only access
machines allocated for project 'mars' i.e x1 to x3 & John to access
machines allocated
for 'venus' i.e y1 to y3
I went through this link learned that it can be achieved using "overlay
dynlist". Please
correct me if I've got it wrong. However my lab server is Ubuntu 9.10 (karmic koala) and it is using
slapd.d (not
slapd.conf) So now if I want to attempt to use "overlay dynlist" how should I go
about it? Has anyone
done this before? Any help will be appreciated.
ldapmodify -D cn=config -W -H ldap://some.host dn: cn={0}module,cn=config changetype: modify add: olcModuleLoad olcModuleLoad: dynlist.la
and ldapadd the following ldif, while olcDataBase and olcDlAttrSet may vary on your system.
dn: olcOverlay=dynlist,olcDataBase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: dynlist olcDlAttrSet: groupOfURLs memberURL
-Dieter
-- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Shamika Joshi shamika.joshi@gmail.com writes:
As you guys suggested, I attempted to load dynlist.la module, but it gives me folllowing error:
admins@x6:~$ ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: cn={0}module,cn=config changetype: modify add: olcModuleLoad olcModuleLoad: dynlist.lamodifying entry "cn={0}module,cn=config" ldap_modify: No such object (32) matched DN: cn=config
If I remove '{0}module,' from the dn it gives this error:
admins@x6:~$ admins@x6:~$ admins@x6:~$ ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: cn=config changetype: modify add: olcModuleLoad olcModuleLoad: dynlist.lamodifying entry "cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcModuleLoad' not allowed
I'm new to LDAP & dont have much knowldge about LDAP schema. Could you tell what must be causing this error? Pls check cn=config attached with this mail.
Thanks Shamika
On Thu, Apr 1, 2010 at 8:02 PM, Dieter Kluenter dieter@dkluenter.de wrote:
Shamika Joshi <shamika.joshi@gmail.com> writes: > Hi > The desired implementation is to control user logins on different lab machines based on > the project groups. > Scenario: Bob is part of project group 'mars' & John is part of 'venus' then I have added > lab machines x1-x3 to group 'mars' & y1-y3 to group venus. Now I want John to only access > machines allocated for project 'mars' i.e x1 to x3 & John to access machines allocated > for 'venus' i.e y1 to y3 > > I went through this link learned that it can be achieved using "overlay dynlist". Please > correct me if I've got it wrong. > However my lab server is Ubuntu 9.10 (karmic koala) and it is using slapd.d (not > slapd.conf) > So now if I want to attempt to use "overlay dynlist" how should I go about it? Has anyone > done this before? Any help will be appreciated. ldapmodify -D cn=config -W -H ldap://some.host dn: cn={0}module,cn=config changetype: modify add: olcModuleLoad olcModuleLoad: dynlist.la and ldapadd the following ldif, while olcDataBase and olcDlAttrSet may vary on your system. dn: olcOverlay=dynlist,olcDataBase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: dynlist olcDlAttrSet: groupOfURLs memberURL
[...]
admins@x6:~$ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W Enter LDAP Password: dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb
[...]
check your module path whether the dynlist overlay ist installed at all.
-Dieter
Yes it is in /usr/lib/ldap
admins@x6:~$ locate dynlist /etc/ldap/dynlist.ldif /usr/lib/ldap/dynlist-2.4.so.2 /usr/lib/ldap/dynlist-2.4.so.2.5.1 /usr/lib/ldap/dynlist.la /usr/lib/ldap/dynlist.so /usr/share/man/man5/slapo-dynlist.5.gz
admins@x6:~$ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W Enter LDAP Password: dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} *olcModulePath: /usr/lib/ldap* olcModuleLoad: {0}back_hdb
but still gives the same error, what could be the reason?
*admins@x6:~$ ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: cn=config changetype: modify add: olcModuleLoad olcModuleLoad: dynlist.la modifying entry "cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcModuleLoad' not allowed*
Thanks Shamika
On Fri, Apr 2, 2010 at 10:31 PM, Dieter Kluenter dieter@dkluenter.dewrote:
Shamika Joshi shamika.joshi@gmail.com writes:
As you guys suggested, I attempted to load dynlist.la module, but it
gives me
folllowing error:
admins@x6:~$ ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: cn={0}module,cn=config changetype: modify add: olcModuleLoad olcModuleLoad: dynlist.lamodifying entry "cn={0}module,cn=config" ldap_modify: No such object (32) matched DN: cn=config
If I remove '{0}module,' from the dn it gives this error:
admins@x6:~$ admins@x6:~$ admins@x6:~$ ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: cn=config changetype: modify add: olcModuleLoad olcModuleLoad: dynlist.lamodifying entry "cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcModuleLoad' not allowed
I'm new to LDAP & dont have much knowldge about LDAP schema. Could you
tell
what must be causing this error? Pls check cn=config attached with this
mail.
Thanks Shamika
On Thu, Apr 1, 2010 at 8:02 PM, Dieter Kluenter dieter@dkluenter.de
wrote:
Shamika Joshi <shamika.joshi@gmail.com> writes: > Hi > The desired implementation is to control user logins on differentlab
machines based on > the project groups. > Scenario: Bob is part of project group 'mars' & John is part of'venus'
then I have added > lab machines x1-x3 to group 'mars' & y1-y3 to group venus. Now Iwant
John to only access > machines allocated for project 'mars' i.e x1 to x3 & John to access machines allocated > for 'venus' i.e y1 to y3 > > I went through this link learned that it can be achieved using"overlay
dynlist". Please > correct me if I've got it wrong. > However my lab server is Ubuntu 9.10 (karmic koala) and it is using slapd.d (not > slapd.conf) > So now if I want to attempt to use "overlay dynlist" how should Igo
about it? Has anyone > done this before? Any help will be appreciated. ldapmodify -D cn=config -W -H ldap://some.host dn: cn={0}module,cn=config changetype: modify add: olcModuleLoad olcModuleLoad: dynlist.la and ldapadd the following ldif, while olcDataBase and olcDlAttrSetmay
vary on your system. dn: olcOverlay=dynlist,olcDataBase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: dynlist olcDlAttrSet: groupOfURLs memberURL[...]
admins@x6:~$ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W Enter LDAP Password: dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb
[...]
check your module path whether the dynlist overlay ist installed at all.
-Dieter
-- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Am Mon, 5 Apr 2010 12:20:07 +0530 schrieb Shamika Joshi shamika.joshi@gmail.com:
Yes it is in /usr/lib/ldap
admins@x6:~$ locate dynlist /etc/ldap/dynlist.ldif /usr/lib/ldap/dynlist-2.4.so.2 /usr/lib/ldap/dynlist-2.4.so.2.5.1 /usr/lib/ldap/dynlist.la /usr/lib/ldap/dynlist.so /usr/share/man/man5/slapo-dynlist.5.gz
admins@x6:~$ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W Enter LDAP Password: dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} *olcModulePath: /usr/lib/ldap* olcModuleLoad: {0}back_hdb
but still gives the same error, what could be the reason?
*admins@x6:~$ ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: cn=config changetype: modify add: olcModuleLoad olcModuleLoad: dynlist.la modifying entry "cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcModuleLoad' not allowed*
I just tested it on my system: $ ldapmodify -D cn=config -w xxx -ZZ -H ldap://magenta.avci.de dn: cn=module{0},cn=config changetype: modify add: olcModuleload olcModuleLoad: dynlist.la
modifying entry "cn=module{0},cn=config"
and a search produces: ldapsearch -LLL -D cn=config -w xxx -ZZ -H ldap://magenta.avci.de -b cn=module{0},cn=config -s base "*"
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/openldap/modules olcModuleLoad: {0}back_meta.la olcModuleLoad: {1}dynlist.la
-Dieter
Yeah,now it worked for me too...May be there was typo or something... I get to actual dynlist configuration now & get back if there are any questions.
thanks alot for your help Shamika
On Tue, Apr 6, 2010 at 2:56 PM, Dieter Kluenter dieter@dkluenter.de wrote:
Am Mon, 5 Apr 2010 12:20:07 +0530 schrieb Shamika Joshi shamika.joshi@gmail.com:
Yes it is in /usr/lib/ldap
admins@x6:~$ locate dynlist /etc/ldap/dynlist.ldif /usr/lib/ldap/dynlist-2.4.so.2 /usr/lib/ldap/dynlist-2.4.so.2.5.1 /usr/lib/ldap/dynlist.la /usr/lib/ldap/dynlist.so /usr/share/man/man5/slapo-dynlist.5.gz
admins@x6:~$ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W Enter LDAP Password: dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} *olcModulePath: /usr/lib/ldap* olcModuleLoad: {0}back_hdb
but still gives the same error, what could be the reason?
*admins@x6:~$ ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: cn=config changetype: modify add: olcModuleLoad olcModuleLoad: dynlist.la modifying entry "cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcModuleLoad' not allowed*
I just tested it on my system: $ ldapmodify -D cn=config -w xxx -ZZ -H ldap://magenta.avci.de dn: cn=module{0},cn=config changetype: modify add: olcModuleload olcModuleLoad: dynlist.la
modifying entry "cn=module{0},cn=config"
and a search produces: ldapsearch -LLL -D cn=config -w xxx -ZZ -H ldap://magenta.avci.de -b cn=module{0},cn=config -s base "*"
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/openldap/modules olcModuleLoad: {0}back_meta.la olcModuleLoad: {1}dynlist.la
-Dieter
-- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
My cn=config is attached here. I have added users *bob* & *george* with host objects *cms2 & cms3* respectively as shown in the below for cn=bob,ou=Users,dc=testlab,dc=com
cn: *bob* uid: bob objectClass: account objectClass: posixAccount uidNumber: 10001 gidNumber: 10001 homeDirectory: /home/bob loginShell: /bin/sh gecos: bob description: User account host:* cms2* userPassword: {SSHA}GtI94c1LAH6F1Wj3rqUGwjND1oUGa2hq
Also I have 2 machines u910desk & x15f12 added with with labledURI searching for hostobject value as 'cms2' & 'cms3' respectively as shown in the eg below for cn=u910desk,ou=Machines,dc=testlab, dc=com
cn: *u910desk* ipHostNumber: *172.17.5.232* member: cn=placeholder,dc=testlab,dc=com objectClass: top objectClass: groupOfNames objectClass: labeledURIObject objectClass: ipHost labeledURI: *ldap:///ou=Users,dc=testlab,dc=com??one?(host=cms2)*
Now if I attempt to *#ssh bob@172.17.5.23*2 it should allow me because bob contains hostobject :cms2 whereas if I do* '#ssh george@172.17.5.232'* it should fail because 172.17.5.232 is looking for host object 'cms2' whereas george contains host object :cms3. correct? But in practical scenario this is not happening. It still allows me to ssh to both machines using both users bob & george. Any clue what I must be missing here?
thanks Shamika
On Tue, Apr 6, 2010 at 4:04 PM, Shamika Joshi shamika.joshi@gmail.comwrote:
Yeah,now it worked for me too...May be there was typo or something... I get to actual dynlist configuration now & get back if there are any questions.
thanks alot for your help Shamika
On Tue, Apr 6, 2010 at 2:56 PM, Dieter Kluenter dieter@dkluenter.dewrote:
Am Mon, 5 Apr 2010 12:20:07 +0530 schrieb Shamika Joshi shamika.joshi@gmail.com:
Yes it is in /usr/lib/ldap
admins@x6:~$ locate dynlist /etc/ldap/dynlist.ldif /usr/lib/ldap/dynlist-2.4.so.2 /usr/lib/ldap/dynlist-2.4.so.2.5.1 /usr/lib/ldap/dynlist.la /usr/lib/ldap/dynlist.so /usr/share/man/man5/slapo-dynlist.5.gz
admins@x6:~$ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W Enter LDAP Password: dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} *olcModulePath: /usr/lib/ldap* olcModuleLoad: {0}back_hdb
but still gives the same error, what could be the reason?
*admins@x6:~$ ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: cn=config changetype: modify add: olcModuleLoad olcModuleLoad: dynlist.la modifying entry "cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcModuleLoad' not allowed*
I just tested it on my system: $ ldapmodify -D cn=config -w xxx -ZZ -H ldap://magenta.avci.de dn: cn=module{0},cn=config changetype: modify add: olcModuleload olcModuleLoad: dynlist.la
modifying entry "cn=module{0},cn=config"
and a search produces: ldapsearch -LLL -D cn=config -w xxx -ZZ -H ldap://magenta.avci.de -b cn=module{0},cn=config -s base "*"
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/openldap/modules olcModuleLoad: {0}back_meta.la olcModuleLoad: {1}dynlist.la
-Dieter
-- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Am Tue, 6 Apr 2010 16:54:34 +0530 schrieb Shamika Joshi shamika.joshi@gmail.com:
My cn=config is attached here. I have added users *bob* & *george* with host objects *cms2 & cms3* respectively as shown in the below for cn=bob,ou=Users,dc=testlab,dc=com
cn: *bob* uid: bob objectClass: account objectClass: posixAccount uidNumber: 10001 gidNumber: 10001 homeDirectory: /home/bob loginShell: /bin/sh gecos: bob description: User account host:* cms2* userPassword: {SSHA}GtI94c1LAH6F1Wj3rqUGwjND1oUGa2hq
Also I have 2 machines u910desk & x15f12 added with with labledURI searching for hostobject value as 'cms2' & 'cms3' respectively as shown in the eg below for cn=u910desk,ou=Machines,dc=testlab, dc=com
cn: *u910desk* ipHostNumber: *172.17.5.232* member: cn=placeholder,dc=testlab,dc=com objectClass: top objectClass: groupOfNames objectClass: labeledURIObject objectClass: ipHost labeledURI: *ldap:///ou=Users,dc=testlab,dc=com??one?(host=cms2)*
Now if I attempt to *#ssh bob@172.17.5.23*2 it should allow me because bob contains hostobject :cms2 whereas if I do* '#ssh george@172.17.5.232'* it should fail because 172.17.5.232 is looking for host object 'cms2' whereas george contains host object :cms3. correct? But in practical scenario this is not happening. It still allows me to ssh to both machines using both users bob & george. Any clue what I must be missing here?
put the ssh problem aside and get the dynamic objects working first. What is the output of a search on the base cn=u910desk,ou=Machines,dc=testlab, dc=com do you get the results wanted?
-Dieter
Yes,it shows it correctly. admins@x6:~$ ldapsearch -xLLL -b cn=u910desk,ou=Machines,dc=testlab,dc=com dn: cn=u910desk,ou=Machines,dc=testlab,dc=com cn: u910desk ipHostNumber: 172.17.5.232 member: cn=placeholder,dc=testlab,dc=com objectClass: top objectClass: groupOfNames objectClass: labeledURIObject objectClass: ipHost labeledURI: ldap://172.17.0.200/ou=Users,dc=testlab,dc=com??one?(host=cms3)
search result of ldap:// 172.17.0.200/ou=Users,dc=testlab,dc=com??one?(host=cms3) shows uid=george, which is correct. Should I be doing any more configuration to get to this login restriction working???
Thanks Shamika
On Tue, Apr 6, 2010 at 5:41 PM, Dieter Kluenter dieter@dkluenter.de wrote:
Am Tue, 6 Apr 2010 16:54:34 +0530 schrieb Shamika Joshi shamika.joshi@gmail.com:
My cn=config is attached here. I have added users *bob* & *george* with host objects *cms2 & cms3* respectively as shown in the below for cn=bob,ou=Users,dc=testlab,dc=com
cn: *bob* uid: bob objectClass: account objectClass: posixAccount uidNumber: 10001 gidNumber: 10001 homeDirectory: /home/bob loginShell: /bin/sh gecos: bob description: User account host:* cms2* userPassword: {SSHA}GtI94c1LAH6F1Wj3rqUGwjND1oUGa2hq
Also I have 2 machines u910desk & x15f12 added with with labledURI searching for hostobject value as 'cms2' & 'cms3' respectively as shown in the eg below for cn=u910desk,ou=Machines,dc=testlab, dc=com
cn: *u910desk* ipHostNumber: *172.17.5.232* member: cn=placeholder,dc=testlab,dc=com objectClass: top objectClass: groupOfNames objectClass: labeledURIObject objectClass: ipHost labeledURI: *ldap:///ou=Users,dc=testlab,dc=com??one?(host=cms2)*
Now if I attempt to *#ssh bob@172.17.5.23*2 it should allow me because bob contains hostobject :cms2 whereas if I do* '#ssh george@172.17.5.232'* it should fail because 172.17.5.232 is looking for host object 'cms2' whereas george contains host object :cms3. correct? But in practical scenario this is not happening. It still allows me to ssh to both machines using both users bob & george. Any clue what I must be missing here?
put the ssh problem aside and get the dynamic objects working first. What is the output of a search on the base cn=u910desk,ou=Machines,dc=testlab, dc=com do you get the results wanted?
-Dieter
-- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Am Wed, 7 Apr 2010 15:07:34 +0530 schrieb Shamika Joshi shamika.joshi@gmail.com:
Yes,it shows it correctly. admins@x6:~$ ldapsearch -xLLL -b cn=u910desk,ou=Machines,dc=testlab,dc=com dn: cn=u910desk,ou=Machines,dc=testlab,dc=com cn: u910desk ipHostNumber: 172.17.5.232 member: cn=placeholder,dc=testlab,dc=com objectClass: top objectClass: groupOfNames objectClass: labeledURIObject objectClass: ipHost labeledURI: ldap://172.17.0.200/ou=Users,dc=testlab,dc=com??one?(host=cms3)
search result of ldap:// 172.17.0.200/ou=Users,dc=testlab,dc=com??one?(host=cms3) shows uid=george, which is correct. Should I be doing any more configuration to get to this login restriction working???
[...]
If this is really the result you expect, than you should configure pam sshd and nsswitch to use this result.
-Dieter
Thanks for your continous & prompt help Dieter. I truly appreciate it. I think I had taken care of pam-ldap & nssswitch configuration before but I will revisit that part & get back to you.
Thanks Shamika
On Wed, Apr 7, 2010 at 7:53 PM, Dieter Kluenter dieter@dkluenter.de wrote:
Am Wed, 7 Apr 2010 15:07:34 +0530 schrieb Shamika Joshi shamika.joshi@gmail.com:
Yes,it shows it correctly. admins@x6:~$ ldapsearch -xLLL -b cn=u910desk,ou=Machines,dc=testlab,dc=com dn: cn=u910desk,ou=Machines,dc=testlab,dc=com cn: u910desk ipHostNumber: 172.17.5.232 member: cn=placeholder,dc=testlab,dc=com objectClass: top objectClass: groupOfNames objectClass: labeledURIObject objectClass: ipHost labeledURI: ldap://172.17.0.200/ou=Users,dc=testlab,dc=com??one?(host=cms3)http://172.17.0.200/ou=Users,dc=testlab,dc=com??one?%28host=cms3%29
search result of ldap:// 172.17.0.200/ou=Users,dc=testlab,dc=com??one?(host=cms3)http://172.17.0.200/ou=Users,dc=testlab,dc=com??one?%28host=cms3%29shows uid=george, which is correct. Should I be doing any more configuration to get to this login restriction working???
[...]
If this is really the result you expect, than you should configure pam sshd and nsswitch to use this result.
-Dieter
-- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Please find pam-ldap & nssswitch configuration from my Ubuntu10desktop client & Fed12desktop client. I guess it looks fine. Could you review & let me know if you find i've mis-configured or missed out on something?
Thanks Shamika
On Thu, Apr 8, 2010 at 11:39 AM, Shamika Joshi shamika.joshi@gmail.comwrote:
Thanks for your continous & prompt help Dieter. I truly appreciate it. I think I had taken care of pam-ldap & nssswitch configuration before but I will revisit that part & get back to you.
Thanks Shamika
On Wed, Apr 7, 2010 at 7:53 PM, Dieter Kluenter dieter@dkluenter.dewrote:
Am Wed, 7 Apr 2010 15:07:34 +0530 schrieb Shamika Joshi shamika.joshi@gmail.com:
Yes,it shows it correctly. admins@x6:~$ ldapsearch -xLLL -b cn=u910desk,ou=Machines,dc=testlab,dc=com dn: cn=u910desk,ou=Machines,dc=testlab,dc=com cn: u910desk ipHostNumber: 172.17.5.232 member: cn=placeholder,dc=testlab,dc=com objectClass: top objectClass: groupOfNames objectClass: labeledURIObject objectClass: ipHost labeledURI: ldap://172.17.0.200/ou=Users,dc=testlab,dc=com??one?(host=cms3)http://172.17.0.200/ou=Users,dc=testlab,dc=com??one?%28host=cms3%29
search result of ldap:// 172.17.0.200/ou=Users,dc=testlab,dc=com??one?(host=cms3)http://172.17.0.200/ou=Users,dc=testlab,dc=com??one?%28host=cms3%29shows uid=george, which is correct. Should I be doing any more configuration to get to this login restriction working???
[...]
If this is really the result you expect, than you should configure pam sshd and nsswitch to use this result.
-Dieter
-- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Shamika Joshi shamika.joshi@gmail.com writes:
Please find pam-ldap & nssswitch configuration from my Ubuntu10desktop client & Fed12desktop client. I guess it looks fine. Could you review & let me know if you find i've mis-configured or missed out on something?
I am missing /etc/ldap.conf
-Dieter
Here it is...ldap.conf from both my client machines.
Thanks Shamika
On Thu, Apr 8, 2010 at 1:08 PM, Dieter Kluenter dieter@dkluenter.de wrote:
Shamika Joshi shamika.joshi@gmail.com writes:
Please find pam-ldap & nssswitch configuration from my Ubuntu10desktop
client & Fed12desktop client. I guess
it looks fine. Could you review & let me know if you find i've mis-configured or missed
out on something?
I am missing /etc/ldap.conf
-Dieter
-- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Shamika Joshi shamika.joshi@gmail.com writes:
Here it is...ldap.conf from both my client machines.
Thanks Shamika
On Thu, Apr 8, 2010 at 1:08 PM, Dieter Kluenter dieter@dkluenter.de wrote:
Shamika Joshi <shamika.joshi@gmail.com> writes: > Please find pam-ldap & nssswitch configuration from my Ubuntu10desktop client & Fed12desktop client. I guess > it looks fine. > Could you review & let me know if you find i've mis-configured or missed out on something? I am missing /etc/ldap.conf -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6/etc/ldap.conf U910deskop
base dc=testlab,dc=com ldap_version 3 rootbinddn cn=admin,dc=testlab,dc=com bind_policy soft pam_password exop nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,proxy,pulse,root,saned,speech-dispatcher,sshd,sync,sys,syslog,uucp,www-data
/etc/ldap.conf Fed12desktop
base dc=testlab,dc=com timelimit 120 bind_timelimit 120 bind_policy soft nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse uri ldap://172.17.0.200/ ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5
I don't think this configuration will provide the data required. As support for name service switch is far beyond the scope of this mailing list you should probably ask on nsswitch related, or ubuntu related, mailing list on how to properly configure nsswitch in order to retrieve group information.
-Dieter
Ok I shall do that. Thank you very much for your extended help in this regards
On Thu, Apr 8, 2010 at 2:49 PM, Dieter Kluenter dieter@dkluenter.de wrote:
Shamika Joshi shamika.joshi@gmail.com writes:
Here it is...ldap.conf from both my client machines.
Thanks Shamika
On Thu, Apr 8, 2010 at 1:08 PM, Dieter Kluenter dieter@dkluenter.de
wrote:
Shamika Joshi <shamika.joshi@gmail.com> writes: > Please find pam-ldap & nssswitch configuration from myUbuntu10desktop client & Fed12desktop client. I
guess > it looks fine. > Could you review & let me know if you find i've mis-configured ormissed out on something?
I am missing /etc/ldap.conf -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6/etc/ldap.conf U910deskop
base dc=testlab,dc=com ldap_version 3 rootbinddn cn=admin,dc=testlab,dc=com bind_policy soft pam_password exop nss_initgroups_ignoreusers
avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,proxy,pulse,root,saned,speech-dispatcher,sshd,sync,sys,syslog,uucp,www-data
/etc/ldap.conf Fed12desktop
base dc=testlab,dc=com timelimit 120 bind_timelimit 120 bind_policy soft nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse
uri ldap://172.17.0.200/ ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5
I don't think this configuration will provide the data required. As support for name service switch is far beyond the scope of this mailing list you should probably ask on nsswitch related, or ubuntu related, mailing list on how to properly configure nsswitch in order to retrieve group information.
-Dieter
-- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
openldap-technical@openldap.org
-
Benjamin Griese -
Dieter Kluenter -
Shamika Joshi