Date: Thu, 6 Oct 2005 18:35:06 -0400 (EDT) From: "Brian A. Seklecki" <lavalamp@spiritual-machines.org> To: Jeff Saxton <jeff.saxton@sensage.com> Cc: ldap@listserver.gpcc.itd.umich.edu, freebsd-questions@freebsd.org Subject: Re: [ldap] Re: LDAP + PAM + pam_groupdn / pam_member_attribute (revisited) Message-ID: <20051006180747.M95280@arbitor.digitalfreaks.org> In-Reply-To: <434597FA.7030009@sensage.com> References: <20051006164231.R95280@arbitor.digitalfreaks.org> <20051006171215.S95280@arbitor.digitalfreaks.org> <434597FA.7030009@sensage.com>
next in thread | previous in thread | raw e-mail | index | archive | help
right! ...from pam_ldap(5): PAM CONFIGURATION It is possible to configure some aspects of pam_ldap on a per-service basis, in the PAM configuration file (this is usually /etc/pam.conf; for PAM implementations based on Linux-PAM, per-service files in /etc/pam.d are also supported). [..] debug: This option is recognized by pam_ldap but is presently ignored. ~bas AA [A On Thu, 6 Oct 2005, Jeff Saxton wrote: > you can run pam modules in debug mode: > > "The last option listed in a PAM configuration line supplies any additional > arguments that should be passwd toe the module upon invocation......... > > <i>debug</i> > Enables generation of debugtging information either to standard output or > via the syslogd daemon" > > Good luck > > Brian A. Seklecki wrote: >> >> This should be so insanely easy. I'm relatively certain this a FreeBSD PAM >> specific issue. From "LDAP system administration [electronic resource] / >> Gerald Carter. 1st ed. Beijing ; Sebastopol, CA : O'Reilly, c2003." >> >> ....in ldap.conf and nss_ldap.conf >> >> -- >> >> # Group to enforce membership of >> pam_groupdn cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com >> >> # Group member attribute >> pam_member_attribute memberUid >> >> --- >> >> ...and then in LDAP, have an object, *ANY* object will function as a >> "group", as long as it supports a multi-value attribute, in this case >> memberUid such as a posixGroup: >> >> # groupName, posixGroups, priv, root, dn >> dn: cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com >> cn: cfdev >> objectClass: posixGroup >> objectClass: top >> gidNumber: 65532 >> memberUid: user1 >> memberUid: user2 >> memberUid: user3 >> memberUid: user4 >> memberUid: user5 >> memberUid: user6 >> >> >> ...this result returned by the same search I'm asking PAM to do: >> >> $ ldapsearch -D "cn=bofh,dc=root,dc=com" -b dc=root,dc=com -H >> ldap://ldapserver -Z -W "(objectClass=posixGroup)" >> >> Then adjust for PAM in SSHD: >> >> >> # auth >> auth required pam_nologin.so no_warn >> auth sufficient pam_opie.so no_warn >> no_fake_prompts >> auth requisite pam_opieaccess.so no_warn allow_local >> #auth sufficient pam_krb5.so no_warn >> try_first_pass >> #auth sufficient pam_ssh.so no_warn >> try_first_pass >> auth sufficient /usr/local/lib/pam_ldap.so no_warn >> try_first_pass >> auth required pam_unix.so no_warn >> try_first_pass >> >> # account >> #account required pam_krb5.so >> account required pam_login_access.so >> account required /usr/local/lib/pam_ldap.so >> ignore_authinfo_unavail ignore_unknown_user >> account required pam_unix.so >> >> # session >> #session optional pam_ssh.so >> session required pam_permit.so >> #session sufficient /usr/local/lib/pam_ldap.so no_warn >> try_first_pass >> >> # password >> #password sufficient pam_krb5.so no_warn >> try_first_pass >> password required pam_unix.so no_warn >> try_first_pass >> #password required /usr/local/lib/pam_ldap.so no_warn >> try_first_pass >> >> >> ...when I change "account ..pam_ldap.so" to sufficient, it allows users in >> who aren't in the required group (as it should if the check fails). When I >> change it to required, it doesn't let them in, but there isn't a single >> useful debugging error message. >> >> How could something so widely used as PAM make it into the wild without >> hooks for debugging? >> >> ~BAS >> >> On Thu, 6 Oct 2005, Brian A. Seklecki wrote: >> >>> >>> Did anyone every get this combination working? >>> >>> Is 'pam_member_attribute' supposed to be uniqueMember or memberUid? >>> >>> When you look at a postGroup entity, the multi-value attribute is >>> memberUid! >>> >>> Is there *any* way at all get debugging information out of PAM libraries, >>> or is it just so insanely esoteric that it's not an option? >>> >>> My favorite thing about PADL's documentation by far is the lack of >>> examples. >>> >>> ~BAS >:} >>> >>> >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to >>> "freebsd-questions-unsubscribe@freebsd.org" >>> >> >> l8* >> -lava >> >> x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 >> >> --- >> You are currently subscribed to ldap@umich.edu as: [jsaxton@addamark.com] >> To unsubscribe send email to ldap-request@umich.edu with the word >> UNSUBSCRIBE as the SUBJECT of the message. > > -- > Jeff Saxton > SenSage, Inc. > 55 Hawthorne Street Suite 700 > San Francisco, CA 94105 > Phone: 415.808.5900 > Fax: 415.371.1385 > Direct: 415-808-5921 > Cell: 415-640-6392 > mailto:support@sensage.com > > Enterprise Security Analytics > > SenSage, the leading provider of enterprise security analytics, offers > unparalleled performance and a scalable means for organizations to centrally > aggregate, efficiently analyze, dynamically monitor and cost-effectively > store massive volumes of event log data. > > > l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051006180747.M95280>