On our FreeBSD 7.2/8.0 driven infrastructure we use OpenLDAP:

openldap-sasl-client-2.4.16 Open source LDAP client implementation with
SASL2 support
openldap-sasl-server-2.4.16 Open source LDAP server implementation
pam_ldap-1.8.4_1    A pam module for authenticating with LDAP

>From O'Reilly's OpenLDAP book and other sources I got the information,
that tha tags

pam_groupdn
pam_member_attribute

can be used in conjunction with 'uid' to restrict access to a specific
host to those which are member of the group specified by pam_groupdn, as
long as the group object supports
multi-value-attributes like memberUid.

Well, this is not working with FreeBSD any way!

Suppose I define in /usr/local/etc/ldap.conf

pam_groupdn cn=myGroup,ou=groups,dc=foo,dc=bar (objectClass: posixGroup)
pam_member_attribute memberUid

And within this group there is my memberUid:

memberUid: ohartmann

Now I try to login to the specific box and get the warning:


You must be a memberUid of cn=myGroup,ou=groups,dc=foo,dc=bar to login.

... and I can login, no tmatter whether I'm in the group or not.

What ist happening here? Why is the documentaion telling me this should
work and why isn't FreeBSD/PAM doing so?

I'm confused!

Any help appreciated.

Oliver
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to