pam_ldap authentication based on pam_groupdn

Jason Lixfeld jason+lists.freebsd at lixfeld.ca
Tue Oct 19 05:26:06 PDT 2004 

Hi.

	Anyone have any insight on this?

On 18-Oct-04, at 1:07 AM, Jason Lixfeld wrote:

> I'm wondering if someone can point out my error here.  I've got PAM 
> authenticating ssh users like so:
>
> auth            required        pam_nologin.so                  no_warn
> auth            sufficient      pam_opie.so                     
> no_warn no_fake_prompts
> auth            requisite       pam_opieaccess.so               
> no_warn allow_local
> auth            sufficient      /usr/local/lib/pam_ldap.so      
> config=/usr/local/etc/openldap/ldap-ssh.conf debug      try_first_pass
> auth            required        pam_unix.so                     
> no_warn try_first_pass
> account         required        pam_login_access.so
> account         sufficient      /usr/local/lib/pam_ldap.so      debug
> account         required        pam_unix.so
> session         required        pam_permit.so
> password        sufficient      /usr/local/lib/pam_ldap.so      debug
> password        required        pam_unix.so                     
> no_warn try_first_pass
>
> bash-2.05b# cat /usr/local/etc/openldap/ldap-ssh.conf
> host 127.0.0.1
> base dc=example,dc=com
> rootbinddn cn=proxyuser,dc=example,dc=com
> scope one
> #pam_filter objectclass=posixaccount
> #pam_login_attribute uid
> pam_groupdn cn=ssh,ou=groups,dc=example,dc=com
> pam_member_attribute memberuid
> pam_password SSHA
> nss_base_passwd         ou=users,dc=example,dc=com?one
> nss_base_shadow         ou=users,dc=example,dc=com?one
> nss_base_group          ou=groups,dc=example,dc=com?one
>
> So I'm trying to permit users who are only members of the group "ssh". 
>  As per this ldap entry below, this user should be the only one 
> permitted to ssh in:
>
> dn: cn=ssh,ou=groups,dc=example,dc=com
> objectClass: posixGroup
> objectClass: top
> cn: ssh
> gidNumber: 10009
> memberUid: testuser.discord.ca
>
> This isn't working.  This user, and any other user can ssh in, even 
> without being a member of the ssh group.  The check doesn't seem to be 
> working and I'm not sure what I'm doing wrong.
>
> I have an nss_ldap.conf which pam queries also, but will a config 
> explicitly configured as I have done above override the the 
> nss_ldap.conf?
>
> Any ideas?
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list