Thanks for the reply & details Adam I shall try matching my config to this & get back to you.
thanks a ton Shamika On Sat, Jun 5, 2010 at 10:22 AM, Adam Hough <[email protected]> wrote: > My guess is that your config on the server is not right. So it looks like > you are using the slap.d which is what i am using as well. (I need to > upload some updated rpms I think to gradientzero as well). > > I used this site to help me get my configuration working > http://www.zytrax.com/books/ldap/ch6/slapd-config.html > > So my directory structural looks like: > > NOTE: While you can edit these files through the filesystem I higly > recommend that you edit the files through ldap commands. I use Apache > Directory Studio as my GUI type front end and use ldapvi when I just one to > make changes to values already in the ldap server and then to make major > changes I use ldapmodify to make them. > > PWD=/etc/openldap/slapd.d > # ls -lR > .: > total 8 > drwxr-x--- 5 ldap ldap 4096 May 26 16:48 cn=config > -rw------- 1 ldap ldap 1312 May 26 17:10 cn=config.ldif > > ./cn=config: > total 100 > -rw------- 1 ldap ldap 575 Sep 1 2009 cn=module{0}.ldif > drwxr-x--- 2 ldap ldap 4096 Mar 4 12:42 cn=schema > -rw------- 1 ldap ldap 61687 Sep 1 2009 cn=schema.ldif > drwxr-x--- 2 ldap ldap 4096 Sep 2 2009 olcDatabase={0}config > -rw------- 1 ldap ldap 2067 Nov 12 2009 olcDatabase={0}config.ldif > drwxr-x--- 2 ldap ldap 4096 Mar 4 11:36 olcDatabase={1}bdb > -rw------- 1 ldap ldap 4093 May 26 16:48 olcDatabase={1}bdb.ldif > -rw------- 1 ldap ldap 2041 May 21 13:31 olcDatabase={-1}frontend.ldif > -rw------- 1 ldap ldap 522 Sep 1 2009 olcDatabase={2}monitor.ldif > > /cn=config/cn=schema: > ...<SCHEMAS in this directory deleted to make this shorter>. > > > ./cn=config/olcDatabase={0}config: > total 4 > -rw------- 1 ldap ldap 385 Sep 1 2009 olcOverlay={0}syncprov.ldif > > ./cn=config/olcDatabase={1}bdb: > total 24 > -rw------- 1 ldap ldap 385 Sep 1 2009 olcOverlay={0}syncprov.ldif > -rw------- 1 ldap ldap 474 Sep 2 2009 olcOverlay={1}ppolicy.ldif > -rw------- 1 ldap ldap 397 Sep 3 2009 olcOverlay={2}memberof.ldif > -rw------- 1 ldap ldap 494 Sep 2 2009 olcOverlay={3}refint.ldif > -rw------- 1 ldap ldap 425 Sep 9 2009 olcOverlay={4}dynlist.ldif > -rw------- 1 ldap ldap 530 Mar 4 11:36 olcOverlay={5}unique.ldif > > Now for some listing of my ldifs that you thin you are needing to see. > > # cat cn\=config.ldif > dn: cn=config > objectClass: olcGlobal > cn: config > olcConfigDir: /etc/openldap/slapd.d > olcAttributeOptions: lang- > olcAuthzPolicy: none > olcConnMaxPending: 100 > olcConnMaxPendingAuth: 1000 > olcGentleHUP: FALSE > olcIdleTimeout: 0 > olcIndexSubstrIfMaxLen: 4 > olcIndexSubstrIfMinLen: 2 > olcIndexSubstrAnyLen: 4 > olcIndexSubstrAnyStep: 2 > olcIndexIntLen: 4 > olcLocalSSF: 71 > olcReadOnly: FALSE > olcReverseLookup: FALSE > olcSaslSecProps: noplain,noanonymous > olcSockbufMaxIncoming: 262143 > olcSockbufMaxIncomingAuth: 16777215 > olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2 > olcTLSVerifyClient: never > structuralObjectClass: olcGlobal > olcTLSCACertificateFile: /etc/pki/certmaster/ca.cert > entryUUID: e686e389-d0eb-4987-a240-fee46028c0a6 > creatorsName: cn=config > createTimestamp: 20090901234827Z > olcTLSCRLCheck: none > olcTLSCertificateFile: /etc/openldap/cacerts/server.cert > olcTLSCertificateKeyFile: /etc/openldap/cacerts/key.pem > olcServerID: 2 ldaps://2 > olcServerID: 1 ldaps://1 > olcServerID: 3 ldaps://3 > olcPidFile: /var/run/openldap/slapd.pid > olcToolThreads: 1 > olcThreads: 16 > > # cat cn\=config/cn\=module\{0\}.ldif > dn: cn=module{0} > > objectClass: olcModuleList > cn: module{0} > olcModulePath: /usr/lib64/openldap > olcModuleLoad: {0}dynlist.la > olcModuleLoad: {1}pcache.la > olcModuleLoad: {2}ppolicy.la > olcModuleLoad: {3}refint.la > olcModuleLoad: {4}retcode.la > olcModuleLoad: {5}syncprov.la > olcModuleLoad: {6}unique.la > olcModuleLoad: {7}memberof.la > structuralObjectClass: olcModuleList > > # cat cn\=config/olcDatabase\=\{1\}bdb/olcOverlay\=\{4\}dynlist.ldif > dn: olcOverlay={4}dynlist > objectClass: olcOverlayConfig > objectClass: olcDynamicList > olcOverlay: {4}dynlist > structuralObjectClass: olcDynamicList > > > I think these should help you find where you have gone wrong with the > configuration of the slapd configuration. > > So in my actual directory I have an ou=Systems,dc=domain,dc=ZZZ > > > cn=sysadmin,ou=Systems,dc=domain,dc=ZZZ > cn: sysadmin > > objectClass: top > objectClass: groupOfNames > objectClass: labeledURIObject > member: uid=nobody,ou=People,dc=domain,dc=ZZZ > labeledURI: ldap:///ou=People,dc=domain,dc=ZZZ??one?(host=sysadmin) > > The nobody user is a fake user that is in all my groups the user cannot > login the ladelURI says that if a use has host=sysadmin they should be in > this group. > > /etc/ldap.conf: > pam_groupdn cn=sysadmin,ou=Systems,dc=domain,dc=ZZZ > pam_member_attribute member > > Also note that I hacked my schema to allow the host attribute in the > PosixAccount users. > > > > On Wed, Jun 2, 2010 at 7:06 AM, Shamika Joshi <[email protected]>wrote: > >> Hi >> I've followed Adam's post below on 'using pam_groupdn to use dynlist' to >> my query posted couple of months back and after revisiting this >> configuration facing issue with doing ssh to client machine with dynamic >> member of the group. It works correctly for the static members of the same >> group.Could you figure out if I'm missing something here?? >> >> Currently using Ubuntu 9.10 which uses slapd.d configuration directory. >> >> >> dn: cn=module{0},cn=config >> objectClass: olcModuleList >> cn: module{0} >> olcModulePath: /usr/lib/ldap >> olcModuleLoad: {0}back_hdb >> *olcModuleLoad: {1}dynlist.la* >> olcModuleLoad: {2}syncprov >> dn: olcDatabase={1}hdb,cn=config >> objectClass: olcDatabaseConfig >> objectClass: olcHdbConfig >> olcDatabase: {1}hdb >> olcDbDirectory: /var/lib/ldap >> olcSuffix: dc=testlab,dc=com >> olcAccess: {0}to attrs=userPassword,shadowLastChange by >> dn="cn=admin,dc=testla >> b,dc=com" write by anonymous auth by self write by * none >> olcAccess: {1}to dn.base="" by * read >> olcAccess: {2}to * by dn="cn=admin,dc=testlab,dc=com" write by * read >> olcLastMod: TRUE >> olcRootDN: cn=admin,dc=testlab,dc=com >> olcRootPW: 1234 >> olcDbCheckpoint: 512 30 >> olcDbConfig: {0}set_cachesize 0 2097152 0 >> olcDbConfig: {1}set_lk_max_objects 1500 >> olcDbConfig: {2}set_lk_max_locks 1500 >> olcDbConfig: {3}set_lk_max_lockers 1500 >> olcDbIndex: uid pres,eq >> olcDbIndex: cn,sn,mail pres,eq,approx,sub >> olcDbIndex: objectClass eq >> >> *dn: olcOverlay={0}dynlist,olcDatabase={1}hdb,cn=config >> objectClass: olcOverlayConfig >> objectClass: olcDynamicList >> olcOverlay: {0}dynlist >> olcDlAttrSet: {0}groupOfNames labeledURI member* >> >> *ldap.conf* on client machine contains >> # Group to enforce membership of >> *pam_groupdn cn=u910desk,ou=Machines,dc=testlab,dc=com* >> >> # Group member attribute >> *pam_member_attribute member** >> * >> I have added following group >> *dn: cn=u910desk,ou=Machines,dc=testlab,dc=com* >> cn: u910desk >> ipHostNumber: 172.17.5.232 >> objectClass: top >> objectClass: groupOfNames >> objectClass: labeledURIObject >> objectClass: ipHost* >> labeledURI: ldap:// >> 172.17.0.200/ou=Users,dc=testlab,dc=com??one?(host=cms3)<http://172.17.0.200/ou=Users,dc=testlab,dc=com??one?%28host=cms3%29> >> * >> member: cn=placeholder,dc=testlab,dc=com >> member: uid=henry,ou=Users,dc=testlab,dc=com >> >> Also a user with host=cms3 entry, which should become dynamic member >> 'u910desk' after resolving labledURI above >> >> *dn: uid=jack,ou=Users,dc=testlab,dc=com* >> cn: jack >> sn: jack >> givenName: jack >> uid: jack >> uidNumber: 1002 >> gidNumber: 513 >> homeDirectory: /home/jack >> loginShell: /bin/bash >> gecos: System User >> host: cms3 >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: inetOrgPerson >> objectClass: posixAccount >> objectClass: shadowAccount >> objectClass: hostobj >> shadowMax: 45 >> >> >> However when I run search for member of group 'u910desk' it returns >> following : member list does not contain entry of user 'jack' here >> >> $ldapsearch -xLLL -b 'cn=u910desk,ou=Machines,dc=testlab,dc=com' member >> dn: cn=u910desk,ou=Machines,dc=testlab,dc=com >> member: cn=placeholder,dc=testlab,dc=com >> member: uid=henry,ou=Users,dc=testlab,dc=com >> >> For same reason(not sure tho) I think I'm not able to ssh to this client >> using 'jack', however ssh using 'henry' works it being a static member of >> 'u910desk'. >> >> adm...@u910desk:~$ ssh j...@localhost >> j...@localhost's password: >> You must be a member of cn=u910desk,ou=Machines,dc=testlab,dc=com to >> login. >> Connection closed by ::1 >> adm...@u910desk:~$ >> adm...@u910desk:~$ >> adm...@u910desk:~$ >> adm...@u910desk:~$ ssh he...@localhost >> he...@localhost's password: >> Linux u910desk 2.6.31-17-generic #54-Ubuntu SMP Thu Dec 10 17:01:44 UTC >> 2009 x86_64 >> >> To access official Ubuntu documentation, please visit: >> http://help.ubuntu.com/ >> >> 164 packages can be updated. >> 90 updates are security updates. >> >> Last login: Wed Jun 2 17:10:19 2010 from localhost >> he...@u910desk:~$ >> >> >> Any help in this matter will be highly appreciated. >> >> Thanks in advance >> Shamika >> >> >> >> On Sat, Dec 12, 2009 at 4:53 AM, Adam Hough <[email protected]>wrote: >> >>> I am guessing you are either using RHEL5, Centos5 or some other RHEL5 >>> based distro. I replaced the openldap that was on my centos5 machines with >>> an newer version at 2.4.16+patches. >>> >>> I have uploaded the rpms and srpms of what I used which you can do a drop >>> in replacement of the RHEL5 based openldap rpms. >>> http://www.gradientzero.com/openldap/ >>> >>> I do not remember for sure but I think I had to force one or 2 of the >>> packages it get it to install but once everyhting is installed then it ran >>> fine for me. I have 3 ldap servers using this version setup in a >>> multi-master setup. >>> >>> Since I am doing a multimastet setup, I do not use slapd.conf but rather >>> the slapd.d configuration directory though the dynlist overlay should work >>> with slapd.conf as well. >>> >>> >>> - Adam >>> >>>> >>>> >>>> On Fri, Dec 11, 2009 at 4:18 AM, Adam Hough <[email protected]>wrote: >>>> >>>>> There are other ways to populate the pam_groupdn that you have >>>>> associated with each machine but those all correspond to some attribute in >>>>> the user's profile. >>>>> >>>>> I have pam_groupdn setup like this >>>>> >>>>> /etc/ldap.conf: >>>>> pam_groupdn cn=<GROUP_NAME>,ou=Systems,dc=domain,dc=com >>>>> pam_member_attribute member >>>>> >>>>> cn=<GROUP_NAME>,ou=Systems,dc=domain,dc=com >>>>> cn: <GROUP_NAME> >>>>> objectClass: top >>>>> objectClass: groupOfNames >>>>> objectClass: labeledURIObject >>>>> member: uid=nobody,ou=People, dc=domain,dc=com >>>>> labeledURI: ldap:///ou=People,dc=domain,dc=com??one?(host=<type of >>>>> system>) >>>>> labeledURI: ldap:///ou=People,dc=domain,dc=com??one?(gidNumber=XXXX) >>>>> >>>>> So as you can see you can have as many labeledURI attributes as you >>>>> want or need. I tend to use the host name function of what the host does. >>>>> >>>>> This is how my account profile would look: >>>>> uid=<MYUSERID>,ou=People,dc=domain,dc=com >>>>> host: "cluster" >>>>> host: sysadmin >>>>> >>>>> So "cluster" is a compute cluster that we have and thus for all those >>>>> machines the pam_groupdn cn="cluster",ou=Systems,dc=domain,dc=com, and for >>>>> machines where only the sysadmins login to then pam_groupdn >>>>> cn=sysadmin,ou=Systems,dc=domain,dc=com. >>>>> >>>>> As long as you can for a labeledURI: >>>>> ldap:///ou=People,dc=domain,dc=com??one?<attribute>=<value>) type search >>>>> you >>>>> can use it to auto populate the group. >>>>> >>>>> Summary: >>>>> * Do to not think of the host attribute as host = hostname but as host >>>>> = type of machine and that you can have more then one labeledURI per group >>>>> to help populate the group. >>>>> * Use good gidNumbers for groups to help auto populate groupOfName >>>>> style groups. >>>>> >>>>> >>>>> >>>>> - Adam >>>>> >>>>> >>>>> >>>>> On Wed, Dec 9, 2009 at 4:01 AM, Shamika Joshi <[email protected] >>>>> > wrote: >>>>> >>>>>> Hi Adam, >>>>>> I'm able to get host auth working by using host attribute.But the >>>>>> drawback of that is everytime there a new machine, I have to add that >>>>>> host >>>>>> to all the users I want to grant access to. If I decide to do it based on >>>>>> group membership, I can use pam_groupdn but then it does not allow >>>>>> multiple >>>>>> group entries there, plus it has to be managed on client side,which is >>>>>> even >>>>>> more undesirable by any administrator. >>>>>> >>>>>> I went through this article but I'm not sure if it will work if I have >>>>>> some members already associated with some groups. Like ldap1 & ldap2 >>>>>> members >>>>>> of qagroup & ldap3 & ldap4 members of sysadmin, would this method allow >>>>>> me >>>>>> to limit access based on their group membership?? if yes...could you >>>>>> briefly >>>>>> explain with an example? >>>>>> >>>>>> Thank for your time in advance >>>>>> Shamika >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Dec 9, 2009 at 9:04 AM, Adam Hough <[email protected]>wrote: >>>>>> >>>>>>> Here is is the write up that I read to figure out how to do setup to >>>>>>> auto-restrict users to certain hosts. >>>>>>> >>>>>>> >>>>>>> http://www.hurricanelabs.com/september2009_login_security_using_openldap_and_pam >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
