Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 27 Apr 2009 07:48:07 +0000
From:      "O. Hartmann" <ohartman@zedat.fu-berlin.de>
To:        freebsd-questions@freebsd.org, freebsd-current@FreeBSD.org
Subject:   PAM/ldap_pam/NFSv4: How let users of a speicific group log into a specific box?
Message-ID:  <49F56337.8040900@zedat.fu-berlin.de>

next in thread | raw e-mail | index | archive | help
Hello.
I run into a specific problem and for several months of experiments I 
havn't found a solution, yet.

This is what I wish to get and need:

A simple capability of selecting users into a specific group. Members of 
such a group should then log into a set of specific hosts.
Infrastructure is FreeBSD 8.0-CURRENT/amd64 and some 7.2-STABLE boxes 
(acting as server) as well as OpenLDAP backend.

Authentication on boxes is done via PAM/ldap_pam. But it is on FreeBSD's 
side a vanilla configuration, not very sophisticated. Users autheticate 
and authorize against an OpenLDAP server residing on another box.

pam_ldap in its most recent ports-version offers, as the manpage claims, 
a facility enabling group logins (resides in /usr/local/etc/ldap.conf):

# Group to enforce membership of
pam_groupdn cn=mygroup,ou=groups,dc=foo,dc=org?sub

# Group member attribute
#pam_member_attribute uniqueMember
pam_member_attribute memberUid


Within the DIT of the OpenLDAP server ou=groups exists and contains also 
a group called 'mygroup' with a multi-value attribute (as required), in 
this case memberUid.

Using pam_ldap.so as a 'required' module is not appreciated, so there 
seems a problem to me with the stack order - should say: I need a LDAP 
solution. pam_group doesn't work for me:


auth	required/requisite	pam_group.so	no_warn group=mygroup


Can anybody help or do have hints?

Please remember I do not belon g to the 'questions' list, so please put 
me into your mail-cc.

Regards,
Oliver



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49F56337.8040900>