Re: pam_ldap authentication based on pam_groupdn

2004-10-19 Thread Jason Lixfeld 
Hi.
Anyone have any insight on this?
On 18-Oct-04, at 1:07 AM, Jason Lixfeld wrote:
I'm wondering if someone can point out my error here.  I've got PAM 
authenticating ssh users like so:

authrequiredpam_nologin.so  no_warn
authsufficient  pam_opie.so 
no_warn no_fake_prompts
authrequisite   pam_opieaccess.so   
no_warn allow_local
authsufficient  /usr/local/lib/pam_ldap.so  
config=/usr/local/etc/openldap/ldap-ssh.conf debug  try_first_pass
authrequiredpam_unix.so 
no_warn try_first_pass
account requiredpam_login_access.so
account sufficient  /usr/local/lib/pam_ldap.so  debug
account requiredpam_unix.so
session requiredpam_permit.so
passwordsufficient  /usr/local/lib/pam_ldap.so  debug
passwordrequiredpam_unix.so 
no_warn try_first_pass

bash-2.05b# cat /usr/local/etc/openldap/ldap-ssh.conf
host 127.0.0.1
base dc=example,dc=com
rootbinddn cn=proxyuser,dc=example,dc=com
scope one
#pam_filter objectclass=posixaccount
#pam_login_attribute uid
pam_groupdn cn=ssh,ou=groups,dc=example,dc=com
pam_member_attribute memberuid
pam_password SSHA
nss_base_passwd ou=users,dc=example,dc=com?one
nss_base_shadow ou=users,dc=example,dc=com?one
nss_base_group  ou=groups,dc=example,dc=com?one
So I'm trying to permit users who are only members of the group ssh. 
 As per this ldap entry below, this user should be the only one 
permitted to ssh in:

dn: cn=ssh,ou=groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ssh
gidNumber: 10009
memberUid: testuser.discord.ca
This isn't working.  This user, and any other user can ssh in, even 
without being a member of the ssh group.  The check doesn't seem to be 
working and I'm not sure what I'm doing wrong.

I have an nss_ldap.conf which pam queries also, but will a config 
explicitly configured as I have done above override the the 
nss_ldap.conf?

Any ideas?
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

pam_ldap authentication based on pam_groupdn

2004-10-17 Thread Jason Lixfeld 
I'm wondering if someone can point out my error here.  I've got PAM 
authenticating ssh users like so:

authrequiredpam_nologin.so  no_warn
authsufficient  pam_opie.so no_warn 
no_fake_prompts
authrequisite   pam_opieaccess.so   no_warn 
allow_local
authsufficient  /usr/local/lib/pam_ldap.so  
config=/usr/local/etc/openldap/ldap-ssh.conf debug  try_first_pass
authrequiredpam_unix.so no_warn 
try_first_pass
account requiredpam_login_access.so
account sufficient  /usr/local/lib/pam_ldap.so  debug
account requiredpam_unix.so
session requiredpam_permit.so
passwordsufficient  /usr/local/lib/pam_ldap.so  debug
passwordrequiredpam_unix.so no_warn 
try_first_pass

bash-2.05b# cat /usr/local/etc/openldap/ldap-ssh.conf
host 127.0.0.1
base dc=example,dc=com
rootbinddn cn=proxyuser,dc=example,dc=com
scope one
#pam_filter objectclass=posixaccount
#pam_login_attribute uid
pam_groupdn cn=ssh,ou=groups,dc=example,dc=com
pam_member_attribute memberuid
pam_password SSHA
nss_base_passwd ou=users,dc=example,dc=com?one
nss_base_shadow ou=users,dc=example,dc=com?one
nss_base_group  ou=groups,dc=example,dc=com?one
So I'm trying to permit users who are only members of the group ssh.  
As per this ldap entry below, this user should be the only one 
permitted to ssh in:

dn: cn=ssh,ou=groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ssh
gidNumber: 10009
memberUid: testuser.discord.ca
This isn't working.  This user, and any other user can ssh in, even 
without being a member of the ssh group.  The check doesn't seem to be 
working and I'm not sure what I'm doing wrong.

I have an nss_ldap.conf which pam queries also, but will a config 
explicitly configured as I have done above override the the 
nss_ldap.conf?

Any ideas?
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]