ssh group membership access - openldap-technical

29 Feb 2012


      Hi,
I have a set of servers in which I want to configure ssh access based on
the users group membership.
I'm using CentOS 5 and this version of openldap
[root@centos5 ldifs]# rpm -qa | grep ldap
openldap-servers-2.3.43-12.el5_7.10
php-ldap-5.1.6-27.el5_7.5
openldap-servers-overlays-2.3.43-12.el5_7.10
openldap-2.3.43-12.el5_7.10
nss_ldap-253-42.el5_7.4
openldap-2.3.43-12.el5_7.10
nss_ldap-253-42.el5_7.4
openldap-clients-2.3.43-12.el5_7.10
[root@centos5 ldifs]#
And this is my ldap.conf
base dc=homelinux,dc=net
timelimit 120
bind_timelimit 120
idle_timelimit 3600
pam_groupdn cn=access,ou=Group,dc=homelinux,dc=net
pam_member_attribute member
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
uri ldap://127.0.0.1/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
And this is the contents of cn=access
[root@centos5 ldifs]# ldapsearch -x -W -D 'cn=Manager,dc=homelinux,dc=net'
-h 127.0.0.1 "cn=access"
# access, Group, homelinux.net
dn: cn=access,ou=Group,dc=homelinux,dc=net
cn: access
objectClass: top
objectClass: groupOfNames
objectClass: labeledURIObject
member: uid=nobody,ou=People,dc=homelinux,dc=net
labeledURI: ldap:///ou=People,dc=homelinux,dc=net??one?(gidNumber=10060)
labeledURI: ldap:///ou=People,dc=homelinux,dc=net??one?(host=jumpbox)
[root@centos5 ldifs]#
And this is the contents of the gid 10060 (unixsa)
[root@centos5 ldifs]# ldapsearch -x -W -D 'cn=Manager,dc=homelinux,dc=net'
-h 127.0.0.1 "cn=unixsa"
# unixsa, Group, homelinux.net
dn: cn=unixsa,ou=Group,dc=homelinux,dc=net
gidNumber: 10060
description: unixsa
objectClass: top
objectClass: posixGroup
cn: unixsa
memberUid: uid=dan,ou=People,dc=homelinux,dc=net
memberUid: dan
[root@centos5 ldifs]#
And when I try to ssh into this box I get the following:
[kwame@vader ~]$ ssh dan@centos5
dan@centos5's password:
You must be a member of cn=access,ou=Group,dc=homelinux,dc=net to login.
Connection closed by 192.168.122.225
[kwame@vader ~]$
This is the info for the user dan
[root@centos5 ldifs]# id dan
uid=10051(uid=dan,ou=People,dc=homelinux,dc=net) gid=10051(dan)
groups=10051(dan),10060(unixsa)
Comments? Thoughts? Words of wisdom?
Best regards