Thanks Howard, Could you point me to some good documentation or HowTos on that? Which version of OpenLDAP should I have installed on server/client machine or is there any separate rpm or pkg to be installed to get started with it ?
Thanks Shamika On Tue, Dec 8, 2009 at 4:23 AM, Howard Chu <[email protected]> wrote: > Joe Friedeggs wrote: > >> >> Use pam_groupdn >> >> pam_groupdn<groupdn> >> Specifies the distinguished name of a group to which a user must belong >> for logon authorization to succeed. >> For example: >> >> pam_groupdn cn=accessGroupServer1,ou=host_ssh_access,dc=example,dc=net >> >> I am not sure if you can specify multiple groups, you'll have to play with >> it. >> > > This question concerns pam-ldap and belongs on the pam-ldap mailing list. > > No, pam_groupdn does not support multiple groups. > > If you want to actually discuss something relevant to OpenLDAP, then switch > to OpenLDAP's nssov overlay, which has full support for arbitrary host / > group / ACL-based login authorization. > > > Thanks, >> Joe >> >> ________________________________ >> >>> Date: Mon, 7 Dec 2009 18:26:57 +0530 >>> Subject: Re: restrict host login based on group >>> From: [email protected] >>> To: [email protected] >>> CC: [email protected]; [email protected]; >>> [email protected] >>> >>> I've been fighting with this since long time now. Reading posts& >>> archieves, having no luck beyond this point.......but now a bit desperate >>> to get this done as I am >>> running out of time now. >>> >>> Any help in this matter is truly appreciated. >>> I attempted to use following ldap.conf settings, but still get auth >>> failures upon doing ssh w/ ldap user. >>> >>> >>> host 172.16.135.43 >>> base dc=test,dc=com >>> uri ldap://172.16.135.43 >>> ldap_version 3 >>> >>> timelimit 120 >>> bind_timelimit 120 >>> idle_timelimit 3600 >>> #pam_filter host=x15ubuntu >>> pam_filter host=* >>> >>> pam_check_host_attr yes >>> pam_password crypt >>> bind_policy soft >>> nss_base_passwd ou=Users,dc=test,dc=com?one >>> nss_base_shadow ou=Users,dc=test,dc=com?one >>> nss_base_group ou=Group,dc=test,dc=com?one >>> >>> nss_base_hosts ou=Hosts,dc=test,dc=com?one >>> nss_initgroups_ignoreusersavahi,avahiautoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid, >>> list,lp,mail,man,messagebus,netdirector,news,postgres,proxy,pulse,root,saned,speech-dispatcher,sshd,sync,sys,syslog,uucp,www-data >>> >>> >>> >>> nsswitch.conf >>> >>> passwd: files ldap >>> shadow: files ldap >>> >>> group: files ldap >>> hosts: files ldap dns >>> >>> "getent" for the user "shamika returns correct information from >>> LDAPserver >>> >>> >>> [r...@x15f12 security]# getent passwd shamika >>> shamika:x:503:55:Shamika J:/home/shamika:/bin/bash >>> [r...@x15f12 security]# getent shadow shamika >>> shamika:*:14568:::::: >>> >>> [r...@x15f12 security]# getent group sysadmin >>> >>> sysadmin:*:100:uid=ldap1,ou=Users,dc=test,dc=com,uid=ldap2,ou=Users,dc=test,dc=com,uid=shamika,ou=Users,dc=test,dc=com >>> >>> No user can login even when I set pam_filter host=* , but if I comment >>> out pam_fiilter it allows all ldap users to login via ssh. >>> >>> Here is snapshot from /var/log/secure >>> Dec 7 18:12:26 x15f12 sshd[19642]: pam_unix(sshd:auth): authentication >>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=shamika >>> Dec 7 18:12:28 x15f12 sshd[19642]: Failed password for shamika from ::1 >>> port 54884 ssh2 >>> >>> Dec 7 18:12:29 x15f12 sshd[19643]: Connection closed by ::1 >>> >>> Here is my /pam.d/sshd file >>> #%PAM-1.0 >>> auth sufficient /lib/security/pam_unix.so likeauth nullok >>> >>> auth sufficient /lib/security/pam_ldap.so use_first_pass >>> auth required /lib/security/pam_deny.so >>> >>> account required /lib/security/pam_unix.so >>> account sufficient /lib/security/pam_ldap.so >>> >>> >>> password sufficient /lib/security/pam_unix.so nullok use_authtok md5 >>> shadow >>> password sufficient /lib/security/pam_ldap.so use_authtok >>> password required /lib/security/pam_deny.so >>> >>> session required /lib/security/pam_limits.so >>> >>> session required /lib/security/pam_unix.so >>> session optional /lib/security/pam_ldap.so >>> >>> Thanks >>> Shamika >>> >>> >>> >>> ============================================================================================= >>> >>> 2009/12/4 Shamika Joshi> >>> >>> Hi all, >>> I'm stuck in the same issue as Serge Fonville. >>> I have created new Auxiliary objectclass 'testobj' with 'host' attribute& >>> added it to the ou=Groups.Then created 2 entries under Groups as below& >>> assigned members to those groups. >>> >>> >>> >>> >>> dn: cn=qagroup,ou=Groups,dc=test,dc=com >>> cn: qagroup >>> gidNumber: 4 >>> objectClass: posixGroup >>> objectClass: testobj >>> host: x15f12.test.com >>> >>> memberUid: uid=ldap1,ou=Users,dc=test,dc=com >>> >>> memberUid: uid=ldap2,ou=Users,dc=test,dc=com >>> >>> dn: cn=admin,ou=Groups,dc=test,dc=com >>> cn: admin >>> gidNumber: 0 >>> objectClass: posixGroup >>> objectClass: testobj >>> host: x15ubuntu.test.com >>> >>> >>> memberUid: uid=ldap3,ou=Users,dc=test,dc=com >>> memberUid: uid=ldap4,ou=Users,dc=test,dc=com >>> >>> >>> Now which parameter in ldap.conf or any other files I host machine should >>> I modify and how, so that members from qagroup or admin groups only get >>> access to host mentioned in their respective attributes ?? >>> >>> >>> >>> Thanks in advance >>> Shamika >>> >>> >>> >>> 2009/12/3 Adam Hough> >>> >>> >>> >>> Or you can create your own Aux. object class that includes the host >>> >>> attribute then you just have to modify the ldap.conf for the machine to >>> >>> restrict user authentication. >>> >>> >>> >>> - Adam >>> >>> >>> >>> On Thu, 2009-12-03 at 10:48 -0300, Jarbas Peixoto Júnior wrote: >>> >>> If you are using ssh and pam can be done like this: >>>> >>> >>> >>>> >>> # tail /etc/ssh/sshd_config >>>> >>> >>> >>>> >>> # Allow client to pass locale environment variables >>>> >>> >>> AcceptEnv LANG LC_* >>>> >>> >>> >>>> >>> Subsystem sftp /usr/lib/openssh/sftp-server >>>> >>> >>> >>>> >>> UsePAM yes >>>> >>> >>> >>>> >>> # Restringir acesso ao grupo local 'suporte' e a grupos LDAP >>>> >>> >>> AllowGroups suporte "SSH UDSL" >>>> >>> >>> >>>> >>> where "SSH UDSL" is a Group in LDAP, and "suporte" is a local group. >>>> >>> >>> >>>> >>> 2009/12/3 Serge Fonville>: >>>> >>> >>> Hi, >>>>> >>>> >>> >>>>> >>> While setting up an LDAP server. I noticed that it is not possible to >>>>> >>>> >>> add a host attribute to a posixGroup. >>>>> >>>> >>> >>>>> >>> Is there a way to limit a user what host they can logon to based on >>>>> >>>> >>> their group membership? >>>>> >>>> >>> >>>>> >>> Thanks in advance >>>>> >>>> >>> >>>>> >>> Regards, >>>>> >>>> >>> >>>>> >>> Serge Fonville >>>>> >>>> > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >
