The user is a part of both groupname and groupname2. I am in testing with different combinations.
UsePAM yes is set in /etc/ssh/sshd_config Reason for using pam_member_attribute uniquemember is because 389-ds groups uses that attribute for group members.(see schema below) So to tell the ldap.conf to look at that attribute to verify members. CORRECT ME IF I AM WRONG This is the schema of my groups dn: cn=GroupName,ou=Groups, dc=domain, dc=com gidNumber: 1010 objectClass: top objectClass: groupOfUniqueNames objectClass: posixGroup uniqueMember: uid=username1,ou=People,dc=domain,dc=com uniqueMember: uid=username2,ou=People,dc=domain,dc=com cn: GroupName True, I tried to put the account required pam_access.so to the pam.d/sshd, but since it already includes the system-auth(which already has pam_access). Hence I didn;t add manually to sshd. /etc/pam.d/sshd auth include system-auth account required pam_nologin.so account include system-auth account required pam_access.so password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so What I am trying to accomplish? I am trying to restrict the ssh access to all our servers based on the groupmembership of posixgroups(groupname1 & 2). So say if a user does not belong to that project he/she should not be able to ssh to that box. Extra info which might or not be related: I am using Primary Group for all users as their uidNumber. I think it is called ³User Private Groups² where each user¹s uidNumber and gidNumber are same. This is to facilitate the file/folders ownership in their home folder by using umask 022. Stpierre from #389 IRC channel suggested that the syntax for posixGroups in access.conf is not @groupname. But to change it something like below. - : ALL EXCEPT root groupname groupname2 : ALL Thanks for you help. -Prashanth * From: "Tidwell Robert - rtidwe" <Robert Tidwell acxiom com> * To: <fedora-directory-users redhat com> * Subject: RE: [389-users] Access.conf issue * Date: Wed, 18 Nov 2009 11:15:32 -0600 Title: Access.conf issue Is your user a part of the groupname or groupname2 group? And, is ³UsePAM yes² and set in your sshd_config? Although, I am not sure that the pam_member_attribute uniquemember is going to work in this situation. Pam is looking to evaluate that the user is a member of the group that you specify for ³pam_groupdn² in ldap.conf. Based on what you are saying, you are simply using pam_access to control ssh access to the server. But instead of the pam_access line being in system_auth, I have it in /etc/pam.d/sshd, which it looks like yours is also based on the error messages. Robert
-- 389 users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
