[ldap] Re: LDAP + PAM + pam_groupdn / pam_member_attribute (revisited)

Brian A. Seklecki lavalamp at spiritual-machines.org
Thu Oct 6 15:35:07 PDT 2005


right!

...from pam_ldap(5):

PAM CONFIGURATION

        It is possible to configure some aspects of pam_ldap on a per-service
        basis, in the PAM configuration file (this is usually /etc/pam.conf;
        for PAM implementations based on Linux-PAM, per-service files in
        /etc/pam.d are also supported).

[..]


  debug:  This option is recognized by pam_ldap but is presently ignored.

~bas
AA


[A


On Thu, 6 Oct 2005, Jeff Saxton wrote:

> you can run pam modules in debug mode:
>
> "The last option listed in a PAM configuration line supplies any additional 
> arguments that should be passwd toe the module upon invocation.........
>
> <i>debug</i>
>  Enables generation of debugtging information either to standard output or 
> via the syslogd daemon"
>
> Good luck
>
> Brian A. Seklecki wrote:
>> 
>> This should be so insanely easy.  I'm relatively certain this a FreeBSD PAM 
>> specific issue.  From "LDAP system administration [electronic resource] / 
>> Gerald Carter. 1st ed.  Beijing ; Sebastopol, CA : O'Reilly, c2003."
>> 
>> ....in ldap.conf and nss_ldap.conf
>> 
>> -- 
>> 
>> # Group to enforce membership of
>> pam_groupdn cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com
>> 
>> # Group member attribute
>> pam_member_attribute memberUid
>> 
>> ---
>> 
>> ...and then in LDAP, have an object, *ANY* object will function as a 
>> "group", as long as it supports a multi-value attribute, in this case 
>> memberUid such as a posixGroup:
>> 
>> # groupName, posixGroups, priv, root, dn
>> dn: cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com
>> cn: cfdev
>> objectClass: posixGroup
>> objectClass: top
>> gidNumber: 65532
>> memberUid: user1
>> memberUid: user2
>> memberUid: user3
>> memberUid: user4
>> memberUid: user5
>> memberUid: user6
>> 
>> 
>> ...this result returned by the same search I'm asking PAM to do:
>> 
>> $ ldapsearch -D "cn=bofh,dc=root,dc=com" -b dc=root,dc=com -H 
>> ldap://ldapserver -Z -W "(objectClass=posixGroup)"
>> 
>> Then adjust for PAM in SSHD:
>> 
>> 
>> # auth
>> auth            required        pam_nologin.so          no_warn
>> auth            sufficient      pam_opie.so             no_warn 
>> no_fake_prompts
>> auth            requisite       pam_opieaccess.so       no_warn allow_local
>> #auth           sufficient      pam_krb5.so             no_warn 
>> try_first_pass
>> #auth           sufficient      pam_ssh.so              no_warn 
>> try_first_pass
>> auth            sufficient      /usr/local/lib/pam_ldap.so no_warn 
>> try_first_pass
>> auth            required        pam_unix.so             no_warn 
>> try_first_pass
>> 
>> # account
>> #account        required        pam_krb5.so
>> account         required        pam_login_access.so
>> account         required        /usr/local/lib/pam_ldap.so 
>> ignore_authinfo_unavail ignore_unknown_user
>> account         required        pam_unix.so
>> 
>> # session
>> #session        optional        pam_ssh.so
>> session         required        pam_permit.so
>> #session         sufficient      /usr/local/lib/pam_ldap.so no_warn 
>> try_first_pass
>> 
>> # password
>> #password       sufficient      pam_krb5.so             no_warn 
>> try_first_pass
>> password        required        pam_unix.so             no_warn 
>> try_first_pass
>> #password         required      /usr/local/lib/pam_ldap.so no_warn 
>> try_first_pass
>> 
>> 
>> ...when I change "account ..pam_ldap.so" to sufficient, it allows users in 
>> who aren't in the required group (as it should if the check fails).  When I 
>> change it to required, it doesn't let them in, but there isn't a single 
>> useful debugging error message.
>> 
>> How could something so widely used as PAM make it into the wild without 
>> hooks for debugging?
>> 
>> ~BAS
>> 
>> On Thu, 6 Oct 2005, Brian A. Seklecki wrote:
>> 
>>> 
>>> Did anyone every get this combination working?
>>> 
>>> Is 'pam_member_attribute' supposed to be uniqueMember or memberUid?
>>> 
>>> When you look at a postGroup entity, the multi-value attribute is 
>>> memberUid!
>>> 
>>> Is there *any* way at all get debugging information out of PAM libraries, 
>>> or is it just so insanely esoteric that it's not an option?
>>> 
>>> My favorite thing about PADL's documentation by far is the lack of 
>>> examples.
>>> 
>>> ~BAS >:}
>>> 
>>> 
>>> _______________________________________________
>>> freebsd-questions at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to 
>>> "freebsd-questions-unsubscribe at freebsd.org"
>>> 
>> 
>> l8*
>>     -lava
>> 
>> x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
>> 
>> ---
>> You are currently subscribed to ldap at umich.edu as: [jsaxton at addamark.com]
>> To unsubscribe send email to ldap-request at umich.edu with the word 
>> UNSUBSCRIBE as the SUBJECT of the message.
>
> -- 
> Jeff Saxton
> SenSage, Inc.
> 55 Hawthorne Street Suite 700
> San Francisco, CA 94105
> Phone:  415.808.5900
> Fax:    415.371.1385
> Direct: 415-808-5921
> Cell:   415-640-6392
> mailto:support at sensage.com
>
> Enterprise Security Analytics
>
> SenSage, the leading provider of enterprise security analytics, offers
> unparalleled performance and a scalable means for organizations to centrally
> aggregate, efficiently analyze, dynamically monitor and cost-effectively
> store massive volumes of event log data.
>
>
>

l8*
 	-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8


More information about the freebsd-questions mailing list