I've been fighting with this since long time now. Reading posts & archieves, having no luck beyond this point.......but now a bit desperate to get this done as I am running out of time now. Any help in this matter is truly appreciated. I attempted to use following ldap.conf settings, but still get auth failures upon doing ssh w/ ldap user*.
host 172.16.135.43 base dc=test,dc=com uri ldap://172.16.135.43 ldap_version 3 timelimit 120 bind_timelimit 120 idle_timelimit 3600 #pam_filter host=x15ubuntu pam_filter host=* pam_check_host_attr yes pam_password crypt bind_policy soft nss_base_passwd ou=Users,dc=test,dc=com?one nss_base_shadow ou=Users,dc=test,dc=com?one nss_base_group ou=Group,dc=test,dc=com?one nss_base_hosts ou=Hosts,dc=test,dc=com?one nss_initgroups_ignoreusersavahi,avahiautoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid, list,lp,mail,man,messagebus,netdirector,news,postgres,proxy,pulse,root,saned,speech-dispatcher,sshd,sync,sys,syslog,uucp,www-data * nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files ldap dns "getent" for the user "shamika returns correct information from LDAPserver * [r...@x15f12 security]# getent passwd shamika shamika:x:503:55:Shamika J:/home/shamika:/bin/bash [r...@x15f12 security]# getent shadow shamika shamika:*:14568:::::: [r...@x15f12 security]# getent group sysadmin sysadmin:*:100:uid=ldap1,ou=Users,dc=test,dc=com,uid=ldap2,ou=Users,dc=test,dc=com,uid=shamika,ou=Users,dc=test,dc=com * No user can login even when I set pam_filter host=* , but if I comment out pam_fiilter it allows all ldap users to login via ssh. Here is snapshot from /var/log/secure Dec 7 18:12:26 x15f12 sshd[19642]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=shamika Dec 7 18:12:28 x15f12 sshd[19642]: Failed password for shamika from ::1 port 54884 ssh2 Dec 7 18:12:29 x15f12 sshd[19643]: Connection closed by ::1 Here is my /pam.d/sshd file *#%PAM-1.0 auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so* Thanks Shamika ============================================================================================= 2009/12/4 Shamika Joshi <[email protected]> > Hi all, > I'm stuck in the same issue as Serge Fonville. > I have created new Auxiliary objectclass 'testobj' with 'host' attribute & > added it to the ou=Groups.Then created 2 entries under Groups as below & > assigned members to those groups. > > > dn: cn=qagroup,ou=Groups,dc=test,dc=com > cn: qagroup > gidNumber: 4 > objectClass: posixGroup > objectClass: testobj > host: x15f12.test.com > memberUid: uid=ldap1,ou=Users,dc=test,dc=com > memberUid: uid=ldap2,ou=Users,dc=test,dc=com > > dn: cn=admin,ou=Groups,dc=test,dc=com > cn: admin > gidNumber: 0 > objectClass: posixGroup > objectClass: testobj > host: x15ubuntu.test.com > memberUid: uid=ldap3,ou=Users,dc=test,dc=com > memberUid: uid=ldap4,ou=Users,dc=test,dc=com > > > Now *which parameter in ldap.conf or any other files I host machine should > I modify and how,* so that members from qagroup or admin groups only get > access to host mentioned in their respective attributes ?? > > Thanks in advance > Shamika > > > > 2009/12/3 Adam Hough <[email protected]> > > Or you can create your own Aux. object class that includes the host >> attribute then you just have to modify the ldap.conf for the machine to >> restrict user authentication. >> >> - Adam >> >> On Thu, 2009-12-03 at 10:48 -0300, Jarbas Peixoto Júnior wrote: >> > If you are using ssh and pam can be done like this: >> > >> > # tail /etc/ssh/sshd_config >> > >> > # Allow client to pass locale environment variables >> > AcceptEnv LANG LC_* >> > >> > Subsystem sftp /usr/lib/openssh/sftp-server >> > >> > UsePAM yes >> > >> > # Restringir acesso ao grupo local 'suporte' e a grupos LDAP >> > AllowGroups suporte "SSH UDSL" >> > >> > where "SSH UDSL" is a Group in LDAP, and "suporte" is a local group. >> > >> > 2009/12/3 Serge Fonville <[email protected]>: >> > > Hi, >> > > >> > > While setting up an LDAP server. I noticed that it is not possible to >> > > add a host attribute to a posixGroup. >> > > >> > > Is there a way to limit a user what host they can logon to based on >> > > their group membership? >> > > >> > > Thanks in advance >> > > >> > > Regards, >> > > >> > > Serge Fonville >> > > >> > > -- >> > > http://www.sergefonville.nl >> > > >> > > Convince Google!! >> > > They need to support Adsense over SSL >> > > >> https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528 >> > > >> http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en >> > > >> >> >
