Hi,
While setting up an LDAP server. I noticed that it is not possible to add a host attribute to a posixGroup.
Is there a way to limit a user what host they can logon to based on their group membership?
Thanks in advance
Regards,
Serge Fonville
If you are using ssh and pam can be done like this:
# tail /etc/ssh/sshd_config
# Allow client to pass locale environment variables AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
# Restringir acesso ao grupo local 'suporte' e a grupos LDAP AllowGroups suporte "SSH UDSL"
where "SSH UDSL" is a Group in LDAP, and "suporte" is a local group.
2009/12/3 Serge Fonville serge.fonville@gmail.com:
Hi,
While setting up an LDAP server. I noticed that it is not possible to add a host attribute to a posixGroup.
Is there a way to limit a user what host they can logon to based on their group membership?
Thanks in advance
Regards,
Serge Fonville
-- http://www.sergefonville.nl
Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&am...
Or you can create your own Aux. object class that includes the host attribute then you just have to modify the ldap.conf for the machine to restrict user authentication.
- Adam
On Thu, 2009-12-03 at 10:48 -0300, Jarbas Peixoto Júnior wrote:
If you are using ssh and pam can be done like this:
# tail /etc/ssh/sshd_config
# Allow client to pass locale environment variables AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
# Restringir acesso ao grupo local 'suporte' e a grupos LDAP AllowGroups suporte "SSH UDSL"
where "SSH UDSL" is a Group in LDAP, and "suporte" is a local group.
2009/12/3 Serge Fonville serge.fonville@gmail.com:
Hi,
While setting up an LDAP server. I noticed that it is not possible to add a host attribute to a posixGroup.
Is there a way to limit a user what host they can logon to based on their group membership?
Thanks in advance
Regards,
Serge Fonville
-- http://www.sergefonville.nl
Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&am...
Hi all, I'm stuck in the same issue as Serge Fonville. I have created new Auxiliary objectclass 'testobj' with 'host' attribute & added it to the ou=Groups.Then created 2 entries under Groups as below & assigned members to those groups.
dn: cn=qagroup,ou=Groups,dc=test,dc=com cn: qagroup gidNumber: 4 objectClass: posixGroup objectClass: testobj host: x15f12.test.com memberUid: uid=ldap1,ou=Users,dc=test,dc=com memberUid: uid=ldap2,ou=Users,dc=test,dc=com
dn: cn=admin,ou=Groups,dc=test,dc=com cn: admin gidNumber: 0 objectClass: posixGroup objectClass: testobj host: x15ubuntu.test.com memberUid: uid=ldap3,ou=Users,dc=test,dc=com memberUid: uid=ldap4,ou=Users,dc=test,dc=com
Now *which parameter in ldap.conf or any other files I host machine should I modify and how,* so that members from qagroup or admin groups only get access to host mentioned in their respective attributes ??
Thanks in advance Shamika
2009/12/3 Adam Hough adam@gradientzero.com
Or you can create your own Aux. object class that includes the host attribute then you just have to modify the ldap.conf for the machine to restrict user authentication.
- Adam
On Thu, 2009-12-03 at 10:48 -0300, Jarbas Peixoto Júnior wrote:
If you are using ssh and pam can be done like this:
# tail /etc/ssh/sshd_config
# Allow client to pass locale environment variables AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
# Restringir acesso ao grupo local 'suporte' e a grupos LDAP AllowGroups suporte "SSH UDSL"
where "SSH UDSL" is a Group in LDAP, and "suporte" is a local group.
2009/12/3 Serge Fonville serge.fonville@gmail.com:
Hi,
While setting up an LDAP server. I noticed that it is not possible to add a host attribute to a posixGroup.
Is there a way to limit a user what host they can logon to based on their group membership?
Thanks in advance
Regards,
Serge Fonville
-- http://www.sergefonville.nl
Convince Google!! They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&am...
I've been fighting with this since long time now. Reading posts & archieves, having no luck beyond this point.......but now a bit desperate to get this done as I am running out of time now. Any help in this matter is truly appreciated. I attempted to use following ldap.conf settings, but still get auth failures upon doing ssh w/ ldap user*.
host 172.16.135.43 base dc=test,dc=com uri ldap://172.16.135.43 ldap_version 3 timelimit 120 bind_timelimit 120 idle_timelimit 3600 #pam_filter host=x15ubuntu pam_filter host=* pam_check_host_attr yes pam_password crypt bind_policy soft nss_base_passwd ou=Users,dc=test,dc=com?one nss_base_shadow ou=Users,dc=test,dc=com?one nss_base_group ou=Group,dc=test,dc=com?one nss_base_hosts ou=Hosts,dc=test,dc=com?one nss_initgroups_ignoreusersavahi,avahiautoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid, list,lp,mail,man,messagebus,netdirector,news,postgres,proxy,pulse,root,saned,speech-dispatcher,sshd,sync,sys,syslog,uucp,www-data * nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files ldap dns
"getent" for the user "shamika returns correct information from LDAPserver * [root@x15f12 security]# getent passwd shamika shamika:x:503:55:Shamika J:/home/shamika:/bin/bash [root@x15f12 security]# getent shadow shamika shamika:*:14568:::::: [root@x15f12 security]# getent group sysadmin sysadmin:*:100:uid=ldap1,ou=Users,dc=test,dc=com,uid=ldap2,ou=Users,dc=test,dc=com,uid=shamika,ou=Users,dc=test,dc=com *
No user can login even when I set pam_filter host=* , but if I comment out pam_fiilter it allows all ldap users to login via ssh. Here is snapshot from /var/log/secure Dec 7 18:12:26 x15f12 sshd[19642]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=shamika Dec 7 18:12:28 x15f12 sshd[19642]: Failed password for shamika from ::1 port 54884 ssh2 Dec 7 18:12:29 x15f12 sshd[19643]: Connection closed by ::1
Here is my /pam.d/sshd file *#%PAM-1.0 auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so*
Thanks Shamika
============================================================================================= 2009/12/4 Shamika Joshi shamika.joshi@gmail.com
Hi all, I'm stuck in the same issue as Serge Fonville. I have created new Auxiliary objectclass 'testobj' with 'host' attribute & added it to the ou=Groups.Then created 2 entries under Groups as below & assigned members to those groups.
dn: cn=qagroup,ou=Groups,dc=test,dc=com cn: qagroup gidNumber: 4 objectClass: posixGroup objectClass: testobj host: x15f12.test.com memberUid: uid=ldap1,ou=Users,dc=test,dc=com memberUid: uid=ldap2,ou=Users,dc=test,dc=com
dn: cn=admin,ou=Groups,dc=test,dc=com cn: admin gidNumber: 0 objectClass: posixGroup objectClass: testobj host: x15ubuntu.test.com memberUid: uid=ldap3,ou=Users,dc=test,dc=com memberUid: uid=ldap4,ou=Users,dc=test,dc=com
Now *which parameter in ldap.conf or any other files I host machine should I modify and how,* so that members from qagroup or admin groups only get access to host mentioned in their respective attributes ??
Thanks in advance Shamika
2009/12/3 Adam Hough adam@gradientzero.com
Or you can create your own Aux. object class that includes the host
attribute then you just have to modify the ldap.conf for the machine to restrict user authentication.
- Adam
On Thu, 2009-12-03 at 10:48 -0300, Jarbas Peixoto Júnior wrote:
If you are using ssh and pam can be done like this:
# tail /etc/ssh/sshd_config
# Allow client to pass locale environment variables AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
# Restringir acesso ao grupo local 'suporte' e a grupos LDAP AllowGroups suporte "SSH UDSL"
where "SSH UDSL" is a Group in LDAP, and "suporte" is a local group.
2009/12/3 Serge Fonville serge.fonville@gmail.com:
Hi,
While setting up an LDAP server. I noticed that it is not possible to add a host attribute to a posixGroup.
Is there a way to limit a user what host they can logon to based on their group membership?
Thanks in advance
Regards,
Serge Fonville
-- http://www.sergefonville.nl
Convince Google!! They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&am...
Use pam_groupdn
pam_groupdn <groupdn> Specifies the distinguished name of a group to which a user must belong for logon authorization to succeed. For example:
pam_groupdn cn=accessGroupServer1,ou=host_ssh_access,dc=example,dc=net
I am not sure if you can specify multiple groups, you'll have to play with it.
Thanks, Joe
________________________________
Date: Mon, 7 Dec 2009 18:26:57 +0530 Subject: Re: restrict host login based on group From: shamika.joshi@gmail.com To: adam@gradientzero.com CC: serge.fonville@gmail.com; jarbas.junior@gmail.com; openldap-technical@openldap.org
I've been fighting with this since long time now. Reading posts & archieves, having no luck beyond this point.......but now a bit desperate to get this done as I am running out of time now.
Any help in this matter is truly appreciated. I attempted to use following ldap.conf settings, but still get auth failures upon doing ssh w/ ldap user.
host 172.16.135.43 base dc=test,dc=com uri ldap://172.16.135.43 ldap_version 3
timelimit 120 bind_timelimit 120 idle_timelimit 3600 #pam_filter host=x15ubuntu pam_filter host=*
pam_check_host_attr yes pam_password crypt bind_policy soft nss_base_passwd ou=Users,dc=test,dc=com?one nss_base_shadow ou=Users,dc=test,dc=com?one nss_base_group ou=Group,dc=test,dc=com?one
nss_base_hosts ou=Hosts,dc=test,dc=com?one nss_initgroups_ignoreusersavahi,avahiautoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid, list,lp,mail,man,messagebus,netdirector,news,postgres,proxy,pulse,root,saned,speech-dispatcher,sshd,sync,sys,syslog,uucp,www-data
nsswitch.conf
passwd: files ldap shadow: files ldap
group: files ldap hosts: files ldap dns
"getent" for the user "shamika returns correct information from LDAPserver
[root@x15f12 security]# getent passwd shamika shamika:x:503:55:Shamika J:/home/shamika:/bin/bash [root@x15f12 security]# getent shadow shamika shamika:*:14568::::::
[root@x15f12 security]# getent group sysadmin sysadmin:*:100:uid=ldap1,ou=Users,dc=test,dc=com,uid=ldap2,ou=Users,dc=test,dc=com,uid=shamika,ou=Users,dc=test,dc=com
No user can login even when I set pam_filter host=* , but if I comment out pam_fiilter it allows all ldap users to login via ssh.
Here is snapshot from /var/log/secure Dec 7 18:12:26 x15f12 sshd[19642]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=shamika Dec 7 18:12:28 x15f12 sshd[19642]: Failed password for shamika from ::1 port 54884 ssh2
Dec 7 18:12:29 x15f12 sshd[19643]: Connection closed by ::1
Here is my /pam.d/sshd file #%PAM-1.0 auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so
Thanks Shamika
=============================================================================================
2009/12/4 Shamika Joshi>
Hi all, I'm stuck in the same issue as Serge Fonville. I have created new Auxiliary objectclass 'testobj' with 'host' attribute & added it to the ou=Groups.Then created 2 entries under Groups as below & assigned members to those groups.
dn: cn=qagroup,ou=Groups,dc=test,dc=com cn: qagroup gidNumber: 4 objectClass: posixGroup objectClass: testobj host: x15f12.test.com
memberUid: uid=ldap1,ou=Users,dc=test,dc=com
memberUid: uid=ldap2,ou=Users,dc=test,dc=com
dn: cn=admin,ou=Groups,dc=test,dc=com cn: admin gidNumber: 0 objectClass: posixGroup objectClass: testobj host: x15ubuntu.test.com
memberUid: uid=ldap3,ou=Users,dc=test,dc=com memberUid: uid=ldap4,ou=Users,dc=test,dc=com
Now which parameter in ldap.conf or any other files I host machine should I modify and how, so that members from qagroup or admin groups only get access to host mentioned in their respective attributes ??
Thanks in advance Shamika
2009/12/3 Adam Hough>
Or you can create your own Aux. object class that includes the host
attribute then you just have to modify the ldap.conf for the machine to
restrict user authentication.
- Adam
On Thu, 2009-12-03 at 10:48 -0300, Jarbas Peixoto Júnior wrote:
If you are using ssh and pam can be done like this:
# tail /etc/ssh/sshd_config
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
# Restringir acesso ao grupo local 'suporte' e a grupos LDAP
AllowGroups suporte "SSH UDSL"
where "SSH UDSL" is a Group in LDAP, and "suporte" is a local group.
2009/12/3 Serge Fonville>:
Hi,
While setting up an LDAP server. I noticed that it is not possible to
add a host attribute to a posixGroup.
Is there a way to limit a user what host they can logon to based on
their group membership?
Thanks in advance
Regards,
Serge Fonville
--
Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&am...
_________________________________________________________________ Chat with Messenger straight from your Hotmail inbox. http://www.microsoft.com/windows/windowslive/hotmail_bl1/hotmail_bl1.aspx?oc...
Joe Friedeggs wrote:
Use pam_groupdn
pam_groupdn<groupdn> Specifies the distinguished name of a group to which a user must belong for logon authorization to succeed. For example:
pam_groupdn cn=accessGroupServer1,ou=host_ssh_access,dc=example,dc=net
I am not sure if you can specify multiple groups, you'll have to play with it.
This question concerns pam-ldap and belongs on the pam-ldap mailing list.
No, pam_groupdn does not support multiple groups.
If you want to actually discuss something relevant to OpenLDAP, then switch to OpenLDAP's nssov overlay, which has full support for arbitrary host / group / ACL-based login authorization.
Thanks, Joe
Date: Mon, 7 Dec 2009 18:26:57 +0530 Subject: Re: restrict host login based on group From: shamika.joshi@gmail.com To: adam@gradientzero.com CC: serge.fonville@gmail.com; jarbas.junior@gmail.com; openldap-technical@openldap.org
I've been fighting with this since long time now. Reading posts& archieves, having no luck beyond this point.......but now a bit desperate to get this done as I am running out of time now.
Any help in this matter is truly appreciated. I attempted to use following ldap.conf settings, but still get auth failures upon doing ssh w/ ldap user.
host 172.16.135.43 base dc=test,dc=com uri ldap://172.16.135.43 ldap_version 3
timelimit 120 bind_timelimit 120 idle_timelimit 3600 #pam_filter host=x15ubuntu pam_filter host=*
pam_check_host_attr yes pam_password crypt bind_policy soft nss_base_passwd ou=Users,dc=test,dc=com?one nss_base_shadow ou=Users,dc=test,dc=com?one nss_base_group ou=Group,dc=test,dc=com?one
nss_base_hosts ou=Hosts,dc=test,dc=com?one nss_initgroups_ignoreusersavahi,avahiautoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid, list,lp,mail,man,messagebus,netdirector,news,postgres,proxy,pulse,root,saned,speech-dispatcher,sshd,sync,sys,syslog,uucp,www-data
nsswitch.conf
passwd: files ldap shadow: files ldap
group: files ldap hosts: files ldap dns
"getent" for the user "shamika returns correct information from LDAPserver
[root@x15f12 security]# getent passwd shamika shamika:x:503:55:Shamika J:/home/shamika:/bin/bash [root@x15f12 security]# getent shadow shamika shamika:*:14568::::::
[root@x15f12 security]# getent group sysadmin sysadmin:*:100:uid=ldap1,ou=Users,dc=test,dc=com,uid=ldap2,ou=Users,dc=test,dc=com,uid=shamika,ou=Users,dc=test,dc=com
No user can login even when I set pam_filter host=* , but if I comment out pam_fiilter it allows all ldap users to login via ssh.
Here is snapshot from /var/log/secure Dec 7 18:12:26 x15f12 sshd[19642]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=shamika Dec 7 18:12:28 x15f12 sshd[19642]: Failed password for shamika from ::1 port 54884 ssh2
Dec 7 18:12:29 x15f12 sshd[19643]: Connection closed by ::1
Here is my /pam.d/sshd file #%PAM-1.0 auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so
Thanks Shamika
=============================================================================================
2009/12/4 Shamika Joshi>
Hi all, I'm stuck in the same issue as Serge Fonville. I have created new Auxiliary objectclass 'testobj' with 'host' attribute& added it to the ou=Groups.Then created 2 entries under Groups as below& assigned members to those groups.
dn: cn=qagroup,ou=Groups,dc=test,dc=com cn: qagroup gidNumber: 4 objectClass: posixGroup objectClass: testobj host: x15f12.test.com
memberUid: uid=ldap1,ou=Users,dc=test,dc=com
memberUid: uid=ldap2,ou=Users,dc=test,dc=com
dn: cn=admin,ou=Groups,dc=test,dc=com cn: admin gidNumber: 0 objectClass: posixGroup objectClass: testobj host: x15ubuntu.test.com
memberUid: uid=ldap3,ou=Users,dc=test,dc=com memberUid: uid=ldap4,ou=Users,dc=test,dc=com
Now which parameter in ldap.conf or any other files I host machine should I modify and how, so that members from qagroup or admin groups only get access to host mentioned in their respective attributes ??
Thanks in advance Shamika
2009/12/3 Adam Hough>
Or you can create your own Aux. object class that includes the host
attribute then you just have to modify the ldap.conf for the machine to
restrict user authentication.
- Adam
On Thu, 2009-12-03 at 10:48 -0300, Jarbas Peixoto Júnior wrote:
If you are using ssh and pam can be done like this:
# tail /etc/ssh/sshd_config
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
# Restringir acesso ao grupo local 'suporte' e a grupos LDAP
AllowGroups suporte "SSH UDSL"
where "SSH UDSL" is a Group in LDAP, and "suporte" is a local group.
2009/12/3 Serge Fonville>:
Hi,
While setting up an LDAP server. I noticed that it is not possible to
add a host attribute to a posixGroup.
Is there a way to limit a user what host they can logon to based on
their group membership?
Thanks in advance
Regards,
Serge Fonville
Thanks Howard, Could you point me to some good documentation or HowTos on that? Which version of OpenLDAP should I have installed on server/client machine or is there any separate rpm or pkg to be installed to get started with it ?
Thanks Shamika
On Tue, Dec 8, 2009 at 4:23 AM, Howard Chu hyc@symas.com wrote:
Joe Friedeggs wrote:
Use pam_groupdn
pam_groupdn<groupdn> Specifies the distinguished name of a group to which a user must belong for logon authorization to succeed. For example:
pam_groupdn cn=accessGroupServer1,ou=host_ssh_access,dc=example,dc=net
I am not sure if you can specify multiple groups, you'll have to play with it.
This question concerns pam-ldap and belongs on the pam-ldap mailing list.
No, pam_groupdn does not support multiple groups.
If you want to actually discuss something relevant to OpenLDAP, then switch to OpenLDAP's nssov overlay, which has full support for arbitrary host / group / ACL-based login authorization.
Thanks,
Joe
Date: Mon, 7 Dec 2009 18:26:57 +0530 Subject: Re: restrict host login based on group From: shamika.joshi@gmail.com To: adam@gradientzero.com CC: serge.fonville@gmail.com; jarbas.junior@gmail.com; openldap-technical@openldap.org
I've been fighting with this since long time now. Reading posts& archieves, having no luck beyond this point.......but now a bit desperate to get this done as I am running out of time now.
Any help in this matter is truly appreciated. I attempted to use following ldap.conf settings, but still get auth failures upon doing ssh w/ ldap user.
host 172.16.135.43 base dc=test,dc=com uri ldap://172.16.135.43 ldap_version 3
timelimit 120 bind_timelimit 120 idle_timelimit 3600 #pam_filter host=x15ubuntu pam_filter host=*
pam_check_host_attr yes pam_password crypt bind_policy soft nss_base_passwd ou=Users,dc=test,dc=com?one nss_base_shadow ou=Users,dc=test,dc=com?one nss_base_group ou=Group,dc=test,dc=com?one
nss_base_hosts ou=Hosts,dc=test,dc=com?one nss_initgroups_ignoreusersavahi,avahiautoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid, list,lp,mail,man,messagebus,netdirector,news,postgres,proxy,pulse,root,saned,speech-dispatcher,sshd,sync,sys,syslog,uucp,www-data
nsswitch.conf
passwd: files ldap shadow: files ldap
group: files ldap hosts: files ldap dns
"getent" for the user "shamika returns correct information from LDAPserver
[root@x15f12 security]# getent passwd shamika shamika:x:503:55:Shamika J:/home/shamika:/bin/bash [root@x15f12 security]# getent shadow shamika shamika:*:14568::::::
[root@x15f12 security]# getent group sysadmin
sysadmin:*:100:uid=ldap1,ou=Users,dc=test,dc=com,uid=ldap2,ou=Users,dc=test,dc=com,uid=shamika,ou=Users,dc=test,dc=com
No user can login even when I set pam_filter host=* , but if I comment out pam_fiilter it allows all ldap users to login via ssh.
Here is snapshot from /var/log/secure Dec 7 18:12:26 x15f12 sshd[19642]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=shamika Dec 7 18:12:28 x15f12 sshd[19642]: Failed password for shamika from ::1 port 54884 ssh2
Dec 7 18:12:29 x15f12 sshd[19643]: Connection closed by ::1
Here is my /pam.d/sshd file #%PAM-1.0 auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so
Thanks Shamika
=============================================================================================
2009/12/4 Shamika Joshi>
Hi all, I'm stuck in the same issue as Serge Fonville. I have created new Auxiliary objectclass 'testobj' with 'host' attribute& added it to the ou=Groups.Then created 2 entries under Groups as below& assigned members to those groups.
dn: cn=qagroup,ou=Groups,dc=test,dc=com cn: qagroup gidNumber: 4 objectClass: posixGroup objectClass: testobj host: x15f12.test.com
memberUid: uid=ldap1,ou=Users,dc=test,dc=com
memberUid: uid=ldap2,ou=Users,dc=test,dc=com
dn: cn=admin,ou=Groups,dc=test,dc=com cn: admin gidNumber: 0 objectClass: posixGroup objectClass: testobj host: x15ubuntu.test.com
memberUid: uid=ldap3,ou=Users,dc=test,dc=com memberUid: uid=ldap4,ou=Users,dc=test,dc=com
Now which parameter in ldap.conf or any other files I host machine should I modify and how, so that members from qagroup or admin groups only get access to host mentioned in their respective attributes ??
Thanks in advance Shamika
2009/12/3 Adam Hough>
Or you can create your own Aux. object class that includes the host
attribute then you just have to modify the ldap.conf for the machine to
restrict user authentication.
- Adam
On Thu, 2009-12-03 at 10:48 -0300, Jarbas Peixoto Júnior wrote:
If you are using ssh and pam can be done like this:
# tail /etc/ssh/sshd_config
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
# Restringir acesso ao grupo local 'suporte' e a grupos LDAP
AllowGroups suporte "SSH UDSL"
where "SSH UDSL" is a Group in LDAP, and "suporte" is a local group.
2009/12/3 Serge Fonville>:
Hi,
While setting up an LDAP server. I noticed that it is not possible to
add a host attribute to a posixGroup.
Is there a way to limit a user what host they can logon to based on
their group membership?
Thanks in advance
Regards,
Serge Fonville
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Shamika Joshi wrote:
Thanks Howard, Could you point me to some good documentation or HowTos on that?
Search the archives. I posted an example in here a few months ago. http://www.openldap.org/lists/openldap-technical/200905/msg00108.html
Here is is the write up that I read to figure out how to do setup to auto-restrict users to certain hosts.
http://www.hurricanelabs.com/september2009_login_security_using_openldap_and...
On Tue, Dec 8, 2009 at 4:40 PM, Howard Chu hyc@symas.com wrote:
Shamika Joshi wrote:
Thanks Howard, Could you point me to some good documentation or HowTos on that?
Search the archives. I posted an example in here a few months ago. http://www.openldap.org/lists/openldap-technical/200905/msg00108.html
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Hi Howard, Thanks for the reference. From README I understood that I have to do some setting related to nssov in my slapd.conf, However I can not locate nssov.so in my machine. I'm running openldap 2.4.18 (as per your post it should be available in 2.4.11onwards with NSS support)
Do I need to add any more packages or upgrade to some version of openldap that supports this? I tried to locate this information but could find it. Could you share some information as to how to port this module over existing openldap setup?
I currently have following packages installed on my Fedora12 openldap-servers-2.4.18-5.fc12.x86_64 openldap-2.4.18-5.fc12.x86_64 openldap-clients-2.4.18-5.fc12.x86_64 openldap-devel-2.4.18-5.fc12.x86_64 nss_ldap-264-8.fc12.x86_64
Thanks Shamika
On Wed, Dec 9, 2009 at 4:10 AM, Howard Chu hyc@symas.com wrote:
Shamika Joshi wrote:
Thanks Howard, Could you point me to some good documentation or HowTos on that?
Search the archives. I posted an example in here a few months ago. http://www.openldap.org/lists/openldap-technical/200905/msg00108.html
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Shamika Joshi wrote:
Hi Howard, Thanks for the reference. From README I understood that I have to do some setting related to nssov in my slapd.conf, However I can not locate nssov.so in my machine. I'm running openldap 2.4.18 (as per your post it should be available in 2.4.11onwards with NSS support)
Do I need to add any more packages or upgrade to some version of openldap that supports this? I tried to locate this information but could find it. Could you share some information as to how to port this module over existing openldap setup?
I can't tell you anything about how Fedora (or any other distro, for that matter) packages the OpenLDAP code. Ask the people who manage your distro.
openldap-technical@openldap.org
-
Adam Hough -
Howard Chu -
Jarbas Peixoto Júnior -
Joe Friedeggs -
Serge Fonville -
Shamika Joshi