El Jueves, 31 de Agosto de 2006 08:30, escribió:
> Enrique,
>
> > I can choose the hosts a unix user have access to by adding the
> > "accessto" attribute.
> > In every client, I have the next entry on pam_ldap.conf
> >
> > pam_filter objectclass=posixAccount)(|(trustmodel=fullaccess)
> > (accessto=serverhostname).
> >
> > It works using ssh connections with password mechanism, gdm or just
> > login.
> >
> > But Ive created a public key pair with ssh-keygen, and I can log in all
> > the clients ($HOME throw NFS) although my user has no "accessto"
> > attribute for these hosts.
>
> Looks like pam_filter is used only for filtering user data and not
> for the account management in the pam_ldap. Can you run your ssh server
> with -ddd flags, try to log in with user that has no 'accessto' attribute
> and see what stage of PAM rejected that user.
>
> One more idea: do you use pam_nss? If yes, then pam_unix can let you
> in, because it looks up user using nsswitch. pam_nss (at least version 252)
> does not use pam_filter configuration item. Try to eliminate success=1
> from pam_unix.so string below and see if it will help.
Really, it is a libnss issue. Ive not changed account pam configuration, just
change
shadow: files ldap
to
shadow: files
on nsswitch.conf
Its reported at README.Debian on libpam-ldap.
Thanks
Enrique
>
> > # /etc/pam.d/common-account - authorization settings common to all
> > services
> >
> > account [success=1 default=ignore] pam_unix.so
> > account required pam_ldap.so
> > account required pam_permit.so
--
Enrique de la Torre Gordaliza
Departamento de Arquitectura de Computadores y Automática
Desp. 220A, Facultad CC. Físicas, Univ. Complutense de Madrid
Tlfn: 91 394 4389
