Re: [rhelv5-list] Group size limit for pam_access.so?

Wed, 19 Sep 2007 06:20:58 -0700 

An answer, at long last, from Redhat support:

  There is a limit of 16kB for a group entry when pam calls
  getgrnam_r().  This can be changed only by PAM library source
  recompiling. There are two alternative solutions you can try.

  1. As you use LDAP for storing the groups, you could use netgroups
  matching in pam_access for the same purpose.

  2. You could use pam_listfile (instead of pam_access.so) which
  doesn't have this limitation.

  /usr/share/doc/pam<version>/README.pam_listfile file contains more
  information about this module. Using this module you can restrict
  users/groups to a particular service.

Hope that helps someone else with a similar problem.

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

On Fri, 31 Aug 2007, Brian Long wrote:


On Fri, 2007-08-31 at 11:47 -0500, Chris St. Pierre wrote:

On Fri, 31 Aug 2007, Brian Long wrote:


On Fri, 2007-08-31 at 09:41 -0500, Chris St. Pierre wrote:

I'm using pam_access.so (/etc/security/access.conf) to control access
to various resources on our RHEL5 machines.  One such machine has a
single line in access.conf that looks something like this:

-:ALL EXCEPT group1 group2 group3:ALL

group1 has 4336 members; group2 has 693 members; and group3 has 4
members.  Everyone in group2 and group3 can log in fine, but folks in
group1 can't.  If I specify another, smaller group, that someone in
group1 is in, though, they can login.


What is the name service being used?  Is this LDAP, NIS, local group?


LDAP.  Note pam_ldap.so being called in the PAM config.  (I meant to
mention that explicitly, but forgot.  Sorry.)


I only know about group size limitations in NIS implementations.  It
sounds like you need to open an Issue Tracker with Red Hat (or a
Bugzilla if you don't have support) since you're using LDAP.

/Brian/

--
      Brian Long                             |       |
                                         . | | | . | | | .
                                             '       '
                                             C I S C O

_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list



_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list

Reply via email to