Re: [Fedora-directory-users] problems with pam ldap ?
On Fri, May 30, 2008 at 10:41:09AM +0300, Bogdan Cehan wrote: > Ok > so now my configuration looks like this > > # Server1, Groups, pol.mediaimage.ro > dn: cn=Server1,ou=Groups,dc=pol,dc=ro > objectClass: top > objectClass: posixgroup > cn: Server1 > gidNumber: 100 > memberUid: alex > memberUid: vion > > and ldap.conf : > [snip] > pam_member_attribute memberUid > pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro That's probably not going to work -- pam_ldap is still going to check for the DN of the user's entry in the memberUid attribute, and not the user's name. [snip] > and pam system-auth : [snip] > accountsufficient pam_unix.so > accountrequired pam_access.so > accountsufficient pam_ldap.so I suspect pam_unix is checking for an expired password (and if you're using nss_ldap, it'll be able to "see" users you've defined in the directory), determining that the user's password has not expired, and returning success. There's also the subtle problem that if a "sufficient" module fails, it doesn't actually cause the whole PAM stack to be counted as a failure, so even if both pam_unix.so and pam_ldap.so failed, the user might still be allowed access. I'd suggest something like this instead: account required pam_unix.so account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_access.so I haven't tried it myself, but I think that'll work. HTH, Nalin -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] problems with pam ldap ?
Ok so now my configuration looks like this # Server1, Groups, pol.mediaimage.ro dn: cn=Server1,ou=Groups,dc=pol,dc=ro objectClass: top objectClass: posixgroup cn: Server1 gidNumber: 100 memberUid: alex memberUid: vion and ldap.conf : URI ldap://lacatzel.pol.ro port=389 BASE dc=pol,dc=ro host lacatzel.pol.ro TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow scope sub bind_policy soft #pam_password exop pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro pam_check_host_attr yes nss_default_attribute_value loginShell /bin/false nss_base_passwd ou=People,dc=pol,dc=ro nss_base_shadow ou=People,dc=pol,dc=ro nss_base_group ou=People,dc=pol,dc=ro and pam system-auth : authrequired pam_env.so auth[success=ignore default=1] pam_localuser.so auth[success=done new_authtok_reqd=done default=1] pam_unix.so likeauth nullok try_first_pass authsufficient pam_ldap.so try_first_pass authrequired pam_deny.so accountsufficient pam_unix.so accountrequired pam_access.so accountsufficient pam_ldap.so password required pam_cracklib.so difok=2 minlen=2 dcredit=2 ocredit=2 retry=1 password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so sessionrequired pam_limits.so sessionrequired pam_unix.so #Creates the home directories if they do not exist sessionrequired pam_mkhomedir.so skel=/etc/skel/ umask=0022 sessionoptional pam_ldap.so but with all this all users could login to the system with no problem > On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote: > > I'm using the fedora directory server for centralized > > authentication , and i have made users with posix account and i > > put them in ou=People like this : > > [snip] > > > # Server1, Groups, pol.ro > > dn: cn=Server1,ou=Groups,dc=pol,dc=ro > > description: group for users that have access on server 1 > > objectClass: top > > objectClass: groupofuniquenames > > uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro > > uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro > > cn: Server1 > > [snip] > > > and my ldap.conf looks like this : > > > > URI ldap://lacatzel.pol.ro > > port=389 > > BASE dc=pol,dc=ro > > host lacatzel.pol.ro > > TLS_CACERTDIR /etc/openldap/cacerts > > TLS_REQCERT allow > > scope sub > > bind_policy soft > > #pam_password exop > > pam_filter objectclass=posixAccount > > pam_login_attribute uid > > pam_member_attribute memberUid > > pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro > > [snip] > > The combination of the pam_groupdn and pam_member_attribute > settings you have here instructs pam_ldap to check for the user's > DN among the values for the group object's "memberUid" attribute, > but the user's DN is stored in the "uniqueMember" attribute. Try > changing that (or removing it, because "pam_member_attribute > uniquemember" is the default). > > But if that were the only problem, I'd expect that none of your > users would be able to log in. You should probably double-check > that your PAM configuration is able to deny users entry when > pam_ldap's account management function (which is the part that > checks group membership) returns a failure. > > HTH, > > Nalin > > -- > Fedora-directory-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] problems with pam ldap ?
On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote: > I'm using the fedora directory server for centralized authentication , > and i have made users with posix account and i put them in ou=People > like this : [snip] > # Server1, Groups, pol.ro > dn: cn=Server1,ou=Groups,dc=pol,dc=ro > description: group for users that have access on server 1 > objectClass: top > objectClass: groupofuniquenames > uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro > uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro > cn: Server1 [snip] > and my ldap.conf looks like this : > > URI ldap://lacatzel.pol.ro > port=389 > BASE dc=pol,dc=ro > host lacatzel.pol.ro > TLS_CACERTDIR /etc/openldap/cacerts > TLS_REQCERT allow > scope sub > bind_policy soft > #pam_password exop > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_member_attribute memberUid > pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro [snip] The combination of the pam_groupdn and pam_member_attribute settings you have here instructs pam_ldap to check for the user's DN among the values for the group object's "memberUid" attribute, but the user's DN is stored in the "uniqueMember" attribute. Try changing that (or removing it, because "pam_member_attribute uniquemember" is the default). But if that were the only problem, I'd expect that none of your users would be able to log in. You should probably double-check that your PAM configuration is able to deny users entry when pam_ldap's account management function (which is the part that checks group membership) returns a failure. HTH, Nalin -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] problems with pam ldap ?
There are a few ways. I found the best way is to specify pam_groupdb and pam_member_attribute. This allows you to create a simple ldap object that says who can log into what system. Edward On Thu, May 29, 2008 at 5:40 AM, Bogdan Cehan <[EMAIL PROTECTED]> wrote: > Let's say i have users : alex , tom , john , joe and bruce > and the computers comp1 , comp2 and comp3 > > > > and in my ldap i have the users on ou=People with posixaccount > and three groups named after the computers like : > > > cn=comp1,ou=Groups > objectClass: top > objectClass: groupOfUniqueNames > cn: comp1 > ou: groups > description: People who can login on comp1 > uniqueMember: uid=alex,ou=People,dc=pol,dc=mediaimage,dc=ro > uniqueMember: uid=joe,ou=People,dc=pol,dc=mediaimage,dc=ro > uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro > - > > > cn=comp2,ou=Groups > objectClass: top > objectClass: groupOfUniqueNames > cn: comp3 > ou: groups > description: People who can login on comp2 > uniqueMember: uid=alex,ou=People,dc=pol,dc=mediaimage,dc=ro > uniqueMember: uid=tom,ou=People,dc=pol,dc=mediaimage,dc=ro > uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro > - > > cn=comp3,ou=Groups > objectClass: top > objectClass: groupOfUniqueNames > cn: comp3 > ou: groups > description: People who can login on comp3 > uniqueMember: uid=john,ou=People,dc=pol,dc=mediaimage,dc=ro > uniqueMember: uid=joe,ou=People,dc=pol,dc=mediaimage,dc=ro > uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro > - > > > > in this schema let's say that i want to be able to "permit " login acces to > the computers only to the people i have in their group > > > > > > > > > > > > > > > >> On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote: >> > Hello all >> > >> > >> > >> > I'm using the fedora directory server for centralized authentication , >> > and i have made users with posix account and i put them in ou=People >> > like this : >> >> [snip] >> >> > now i want to restrict some users to servers based on groups but my >> > pam_ldap does not help me to do that , I'm using my old friend >> > "www.google.com" to help me in this problem but with no luck . all >> > my users have access to this computer so , if i understand wright >> > all i have to do is create users with posix account and after that create >> > groups and put the users in that group but this does not work . any >> > ideas ? anyone use FDS for what i intend to do ? >> >> The pam_access module may help you do this depending on what you mean by >> "restrict". >> >> > Thank you for your time . >> > >> > >> > >> > Bogdan > > > -- > Fedora-directory-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] problems with pam ldap ?
Let's say i have users : alex , tom , john , joe and bruce and the computers comp1 , comp2 and comp3 and in my ldap i have the users on ou=People with posixaccount and three groups named after the computers like : cn=comp1,ou=Groups objectClass: top objectClass: groupOfUniqueNames cn: comp1 ou: groups description: People who can login on comp1 uniqueMember: uid=alex,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=joe,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro - cn=comp2,ou=Groups objectClass: top objectClass: groupOfUniqueNames cn: comp3 ou: groups description: People who can login on comp2 uniqueMember: uid=alex,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=tom,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro - cn=comp3,ou=Groups objectClass: top objectClass: groupOfUniqueNames cn: comp3 ou: groups description: People who can login on comp3 uniqueMember: uid=john,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=joe,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro - in this schema let's say that i want to be able to "permit " login acces to the computers only to the people i have in their group > On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote: > > Hello all > > > > > > > > I'm using the fedora directory server for centralized authentication , > > and i have made users with posix account and i put them in ou=People > > like this : > > [snip] > > > now i want to restrict some users to servers based on groups but my > > pam_ldap does not help me to do that , I'm using my old friend > > "www.google.com" to help me in this problem but with no luck . all > > my users have access to this computer so , if i understand wright > > all i have to do is create users with posix account and after that create > > groups and put the users in that group but this does not work . any > > ideas ? anyone use FDS for what i intend to do ? > > The pam_access module may help you do this depending on what you mean by > "restrict". > > > Thank you for your time . > > > > > > > > Bogdan -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] problems with pam ldap ?
On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote: > Hello all > > > > I'm using the fedora directory server for centralized authentication , > and i have made users with posix account and i put them in ou=People > like this : [snip] > now i want to restrict some users to servers based on groups but my pam_ldap > does not help me to do that , I'm using my old friend "www.google.com" to > help me in this problem but with no luck . all my users have access to > this computer so , if i understand wright all i have to do is create > users with posix account and after that create groups and put the users in > that group but this does not work . any ideas ? anyone use FDS for what i > intend to do ? The pam_access module may help you do this depending on what you mean by "restrict". > Thank you for your time . > > > > Bogdan -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
