Use pam_groupdn pam_groupdn <groupdn> Specifies the distinguished name of a group to which a user must belong for logon authorization to succeed. For example:
pam_groupdn cn=accessGroupServer1,ou=host_ssh_access,dc=example,dc=net I am not sure if you can specify multiple groups, you'll have to play with it. Thanks, Joe ________________________________ > Date: Mon, 7 Dec 2009 18:26:57 +0530 > Subject: Re: restrict host login based on group > From: [email protected] > To: [email protected] > CC: [email protected]; [email protected]; > [email protected] > > I've been fighting with this since long time now. Reading posts & > archieves, having no luck beyond this point.......but now a bit desperate to > get this done as I am > running out of time now. > > Any help in this matter is truly appreciated. > I attempted to use following ldap.conf settings, but still get auth failures > upon doing ssh w/ ldap user. > > > host 172.16.135.43 > base dc=test,dc=com > uri ldap://172.16.135.43 > ldap_version 3 > > timelimit 120 > bind_timelimit 120 > idle_timelimit 3600 > #pam_filter host=x15ubuntu > pam_filter host=* > > pam_check_host_attr yes > pam_password crypt > bind_policy soft > nss_base_passwd ou=Users,dc=test,dc=com?one > nss_base_shadow ou=Users,dc=test,dc=com?one > nss_base_group ou=Group,dc=test,dc=com?one > > nss_base_hosts ou=Hosts,dc=test,dc=com?one > nss_initgroups_ignoreusersavahi,avahiautoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid, > > list,lp,mail,man,messagebus,netdirector,news,postgres,proxy,pulse,root,saned,speech-dispatcher,sshd,sync,sys,syslog,uucp,www-data > > > > nsswitch.conf > > passwd: files ldap > shadow: files ldap > > group: files ldap > hosts: files ldap dns > > "getent" for the user "shamika returns correct information from LDAPserver > > > [r...@x15f12 security]# getent passwd shamika > shamika:x:503:55:Shamika J:/home/shamika:/bin/bash > [r...@x15f12 security]# getent shadow shamika > shamika:*:14568:::::: > > [r...@x15f12 security]# getent group sysadmin > sysadmin:*:100:uid=ldap1,ou=Users,dc=test,dc=com,uid=ldap2,ou=Users,dc=test,dc=com,uid=shamika,ou=Users,dc=test,dc=com > > No user can login even when I set pam_filter host=* , but if I comment out > pam_fiilter it allows all ldap users to login via ssh. > > Here is snapshot from /var/log/secure > Dec 7 18:12:26 x15f12 sshd[19642]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=shamika > Dec 7 18:12:28 x15f12 sshd[19642]: Failed password for shamika from ::1 port > 54884 ssh2 > > Dec 7 18:12:29 x15f12 sshd[19643]: Connection closed by ::1 > > Here is my /pam.d/sshd file > #%PAM-1.0 > auth sufficient /lib/security/pam_unix.so likeauth nullok > > auth sufficient /lib/security/pam_ldap.so use_first_pass > auth required /lib/security/pam_deny.so > > account required /lib/security/pam_unix.so > account sufficient /lib/security/pam_ldap.so > > > password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow > password sufficient /lib/security/pam_ldap.so use_authtok > password required /lib/security/pam_deny.so > > session required /lib/security/pam_limits.so > > session required /lib/security/pam_unix.so > session optional /lib/security/pam_ldap.so > > Thanks > Shamika > > > ============================================================================================= > > 2009/12/4 Shamika Joshi> > > Hi all, > I'm stuck in the same issue as Serge Fonville. > I have created new Auxiliary objectclass 'testobj' with 'host' attribute & > added it to the ou=Groups.Then created 2 entries under Groups as below & > assigned members to those groups. > > > > > dn: cn=qagroup,ou=Groups,dc=test,dc=com > cn: qagroup > gidNumber: 4 > objectClass: posixGroup > objectClass: testobj > host: x15f12.test.com > > memberUid: uid=ldap1,ou=Users,dc=test,dc=com > > memberUid: uid=ldap2,ou=Users,dc=test,dc=com > > dn: cn=admin,ou=Groups,dc=test,dc=com > cn: admin > gidNumber: 0 > objectClass: posixGroup > objectClass: testobj > host: x15ubuntu.test.com > > > memberUid: uid=ldap3,ou=Users,dc=test,dc=com > memberUid: uid=ldap4,ou=Users,dc=test,dc=com > > > Now which parameter in ldap.conf or any other files I host machine should I > modify and how, so that members from qagroup or admin groups only get access > to host mentioned in their respective attributes ?? > > > > Thanks in advance > Shamika > > > > 2009/12/3 Adam Hough> > > > > Or you can create your own Aux. object class that includes the host > > attribute then you just have to modify the ldap.conf for the machine to > > restrict user authentication. > > > > - Adam > > > > On Thu, 2009-12-03 at 10:48 -0300, Jarbas Peixoto Júnior wrote: > >> If you are using ssh and pam can be done like this: > >> > >> # tail /etc/ssh/sshd_config > >> > >> # Allow client to pass locale environment variables > >> AcceptEnv LANG LC_* > >> > >> Subsystem sftp /usr/lib/openssh/sftp-server > >> > >> UsePAM yes > >> > >> # Restringir acesso ao grupo local 'suporte' e a grupos LDAP > >> AllowGroups suporte "SSH UDSL" > >> > >> where "SSH UDSL" is a Group in LDAP, and "suporte" is a local group. > >> > >> 2009/12/3 Serge Fonville>: > >>> Hi, > >>> > >>> While setting up an LDAP server. I noticed that it is not possible to > >>> add a host attribute to a posixGroup. > >>> > >>> Is there a way to limit a user what host they can logon to based on > >>> their group membership? > >>> > >>> Thanks in advance > >>> > >>> Regards, > >>> > >>> Serge Fonville > >>> > >>> -- > >>> http://www.sergefonville.nl > >>> > >>> Convince Google!! > >>> They need to support Adsense over SSL > >>> https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528 > >>> http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en > >>> > > > > > > _________________________________________________________________ Chat with Messenger straight from your Hotmail inbox. http://www.microsoft.com/windows/windowslive/hotmail_bl1/hotmail_bl1.aspx?ocid=PID23879::T:WLMTAGL:ON:WL:en-ww:WM_IMHM_4:092009
