Hi,
I have a case, allow particular LDAP group user can login host. I get a method from google, which use pam_listfile.so , I tried as description( https://www.cyberciti.biz/tips/howto-deny-allow-linux-user-group-login.html), but it failed to restrict particular group. Below is what I did:
1. add pam_listfile.so to system-auth
# grep pam_listfile.so system-auth -A2 auth required pam_listfile.so \ onerr=fail item=group sense=allow file=/etc/login.group.allowed
2. create file login.group.allowed, and add group name in this file # ll /etc/login.group.allowed -rwxr-xr-x. 1 root root 12 Jan 7 19:28 /etc/login.group.allowed # cat /etc/login.group.allowed hogpu-users
3. try to login a user, which is not in group hogpu-users.
$ ssh test.lu@10.10.10.37 luo.lu@101.100.10.37's password: Last login: Sat Jan 7 19:30:04 2017 from 10.31.32.72 id: cannot find name for group ID 501 [luo.lu@xyz-gpu100 ~]$ id test.lu uid=10138(test.lu) gid=501 groups=501,503(hogpu-algorithm-intern)
so user test.lu is not in group hogpu-users, but I still can login the host.
What I missed? any suggestion about this?
Thanks
On Sat, Jan 07, 2017 at 11:53:27AM +0800, Frank Yu wrote:
# grep pam_listfile.so system-auth -A2 auth required pam_listfile.so \ onerr=fail item=group sense=allow file=/etc/login.group.allowed
Without your complete pam configuration there's really no way to tell what's going on. For example, what if you have a module configured as sufficient listed above this line? pam_listfile would never even be consulted.
All I can really say is that I use pam_listfile as so:
auth requisite pam_listfile.so item=group sense=allow file=/etc/security/authorized_groups.conf onerr=fail
and it works fine for me, with groups pulled out of LDAP, the way I have it integrated into the rest of my pam configuration. That, and you'd probably be better off taking this inquiry to the pam mailing list as your issue is most likely with pam configuration, not ldap, assuming a "getent group <groupname>" returns the group from ldap you're working with.
Paul,
Thanks for your reply. Finally it works for me:)
2017-01-08 12:00 GMT+08:00 Paul B. Henson henson@acm.org:
On Sat, Jan 07, 2017 at 11:53:27AM +0800, Frank Yu wrote:
# grep pam_listfile.so system-auth -A2 auth required pam_listfile.so \ onerr=fail item=group sense=allow
file=/etc/login.group.allowed
Without your complete pam configuration there's really no way to tell what's going on. For example, what if you have a module configured as sufficient listed above this line? pam_listfile would never even be consulted.
All I can really say is that I use pam_listfile as so:
auth requisite pam_listfile.so item=group sense=allow file=/etc/security/authorized_groups.conf onerr=fail
and it works fine for me, with groups pulled out of LDAP, the way I have it integrated into the rest of my pam configuration. That, and you'd probably be better off taking this inquiry to the pam mailing list as your issue is most likely with pam configuration, not ldap, assuming a "getent group <groupname>" returns the group from ldap you're working with.
openldap-technical@openldap.org
-
Frank Yu -
Paul B. Henson