I have recently been using openLDAP on a server for authentication. I have user auth working happily, but when i try and enable group_membership, it is not enforced. When a user with the correct group membership logs in, everything is happy, but when a user without the membership logins a notice appears that says "You must be a memberUid of cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan to login.", but the user is still able to continue and login, and it is not enforcing the group membership.

Many thanks, for your help (again)

Here is my nss_ldap.conf (/etc/ldap.conf)

base dc=chocolate,dc=lan suffix dc=chocolate,dc=lan uri ldap://ldap.chocolate.lan ldap_version 3 scope sub timelimit 3 bind_timelimit 3 bind_policy soft

pam_filter objectclass=posixAccount pam_login_attribute uid pam_groupdn cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan pam_member_attribute memberUid

pam_password clear

pam_password exop nss_base_passwd ou=Users,dc=chocolate,dc=lan?sub nss_base_passwd ou=Computers,dc=chocolate,dc=lan?sub nss_base_shadow ou=Users,dc=chocolate,dc=lan?sub nss_base_group ou=Nemo,ou=Group,dc=chocolate,dc=lan?sub

ssl on ssl start_tls tls_cacert /usr/local/etc/openldap/keys/cacert.crt

tls_checkpeer no

And my pam.d/sshd

auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn auth required pam_unix.so no_warn use_first_pass

account required pam_nologin.so account required pam_login_access.so account optional pam_unix.so account optional /usr/local/lib/pam_ldap.so

session required pam_permit.so session optional /usr/local/lib/pam_ldap.so

password sufficient pam_unix.so no_warn use_first_pass