pam_ldap authentication based on pam_groupdn
Jason Lixfeld
jason+lists.freebsd at lixfeld.ca
Tue Oct 19 05:26:06 PDT 2004
Hi.
Anyone have any insight on this?
On 18-Oct-04, at 1:07 AM, Jason Lixfeld wrote:
> I'm wondering if someone can point out my error here. I've got PAM
> authenticating ssh users like so:
>
> auth required pam_nologin.so no_warn
> auth sufficient pam_opie.so
> no_warn no_fake_prompts
> auth requisite pam_opieaccess.so
> no_warn allow_local
> auth sufficient /usr/local/lib/pam_ldap.so
> config=/usr/local/etc/openldap/ldap-ssh.conf debug try_first_pass
> auth required pam_unix.so
> no_warn try_first_pass
> account required pam_login_access.so
> account sufficient /usr/local/lib/pam_ldap.so debug
> account required pam_unix.so
> session required pam_permit.so
> password sufficient /usr/local/lib/pam_ldap.so debug
> password required pam_unix.so
> no_warn try_first_pass
>
> bash-2.05b# cat /usr/local/etc/openldap/ldap-ssh.conf
> host 127.0.0.1
> base dc=example,dc=com
> rootbinddn cn=proxyuser,dc=example,dc=com
> scope one
> #pam_filter objectclass=posixaccount
> #pam_login_attribute uid
> pam_groupdn cn=ssh,ou=groups,dc=example,dc=com
> pam_member_attribute memberuid
> pam_password SSHA
> nss_base_passwd ou=users,dc=example,dc=com?one
> nss_base_shadow ou=users,dc=example,dc=com?one
> nss_base_group ou=groups,dc=example,dc=com?one
>
> So I'm trying to permit users who are only members of the group "ssh".
> As per this ldap entry below, this user should be the only one
> permitted to ssh in:
>
> dn: cn=ssh,ou=groups,dc=example,dc=com
> objectClass: posixGroup
> objectClass: top
> cn: ssh
> gidNumber: 10009
> memberUid: testuser.discord.ca
>
> This isn't working. This user, and any other user can ssh in, even
> without being a member of the ssh group. The check doesn't seem to be
> working and I'm not sure what I'm doing wrong.
>
> I have an nss_ldap.conf which pam queries also, but will a config
> explicitly configured as I have done above override the the
> nss_ldap.conf?
>
> Any ideas?
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list