I'm currently trying to get group based login working with little success using pam_groupdn on CentOS. Currently, any existing LDAP user is allowed to login to the system, but it does throw the error: "You must be a member of cn=login,ou=Group,dc=mydomain,dc=com to login." I would like to deny logins for any ldap users unless they exist in the specified group (in this case, cn=login,ou=Group,dc=mydomain,dc=com). Can anyone tell me what I'm doing wrong or point me toward some documentation?
/etc/ldap.conf: uri ldaps://ldap.mydomain.com base dc=mydomain,dc=com binddn cn=user,ou=People,dc=mydomain,dc=com bindpw password bind_policy soft pam_password md5 pam_login_attribute userID pam_groupdn cn=login,ou=Groups,dc=mydomain,dc=com pam_member_attribute member pam_lookup_policy yes tls_checkpeer no ssl on
LDAP login group: dn: cn=login,ou=Group,dc=mydomain,dc=com objectClass: top objectClass: posixGroup cn: login description: login group gidNumber: 100 memberUid: user1 memberUid: user2
Paul wrote:
I'm currently trying to get group based login working with little success
using pam_groupdn on CentOS. Currently, any existing LDAP user is allowed to login to the system, but it does throw the error: "You must be a member of cn=login,ou=Group,dc=mydomain,dc=com to login." I would like to deny logins for any ldap users unless they exist in the specified group (in this case, cn=login,ou=Group,dc=mydomain,dc=com). Can anyone tell me what I'm doing wrong or point me toward some documentation?
Your question has nothing to do with OpenLDAP and has everything to do with PAM. Read the docs for pam.conf.
/etc/ldap.conf: uri ldaps://ldap.mydomain.com base dc=mydomain,dc=com binddn cn=user,ou=People,dc=mydomain,dc=com bindpw password bind_policy soft pam_password md5 pam_login_attribute userID pam_groupdn cn=login,ou=Groups,dc=mydomain,dc=com pam_member_attribute member pam_lookup_policy yes tls_checkpeer no ssl on
LDAP login group: dn: cn=login,ou=Group,dc=mydomain,dc=com objectClass: top objectClass: posixGroup cn: login description: login group gidNumber: 100 memberUid: user1 memberUid: user2
The pam_member_attribute must match the LDAP 'attribute' used in the LDAP login groups; memberUid in your case (not member). Simply mistake?
Joe _________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. http://clk.atdmt.com/GBL/go/177141665/direct/01/
openldap-technical@openldap.org
-
Howard Chu -
Joe Friedeggs -
Paul