Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 19 Oct 2004 08:26:01 -0400
From:      Jason Lixfeld <jason+lists.freebsd@lixfeld.ca>
To:        freebsd-questions@freebsd.org
Subject:   Re: pam_ldap authentication based on pam_groupdn
Message-ID:  <09FBA43F-21CA-11D9-A2AF-000A95D6AB8E@lixfeld.ca>
In-Reply-To: <9D1F1D64-20C3-11D9-8384-000A95D6AB8E@lixfeld.ca>
References:  <9D1F1D64-20C3-11D9-8384-000A95D6AB8E@lixfeld.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi.

	Anyone have any insight on this?

On 18-Oct-04, at 1:07 AM, Jason Lixfeld wrote:

> I'm wondering if someone can point out my error here.  I've got PAM 
> authenticating ssh users like so:
>
> auth            required        pam_nologin.so                  no_warn
> auth            sufficient      pam_opie.so                     
> no_warn no_fake_prompts
> auth            requisite       pam_opieaccess.so               
> no_warn allow_local
> auth            sufficient      /usr/local/lib/pam_ldap.so      
> config=/usr/local/etc/openldap/ldap-ssh.conf debug      try_first_pass
> auth            required        pam_unix.so                     
> no_warn try_first_pass
> account         required        pam_login_access.so
> account         sufficient      /usr/local/lib/pam_ldap.so      debug
> account         required        pam_unix.so
> session         required        pam_permit.so
> password        sufficient      /usr/local/lib/pam_ldap.so      debug
> password        required        pam_unix.so                     
> no_warn try_first_pass
>
> bash-2.05b# cat /usr/local/etc/openldap/ldap-ssh.conf
> host 127.0.0.1
> base dc=example,dc=com
> rootbinddn cn=proxyuser,dc=example,dc=com
> scope one
> #pam_filter objectclass=posixaccount
> #pam_login_attribute uid
> pam_groupdn cn=ssh,ou=groups,dc=example,dc=com
> pam_member_attribute memberuid
> pam_password SSHA
> nss_base_passwd         ou=users,dc=example,dc=com?one
> nss_base_shadow         ou=users,dc=example,dc=com?one
> nss_base_group          ou=groups,dc=example,dc=com?one
>
> So I'm trying to permit users who are only members of the group "ssh". 
>  As per this ldap entry below, this user should be the only one 
> permitted to ssh in:
>
> dn: cn=ssh,ou=groups,dc=example,dc=com
> objectClass: posixGroup
> objectClass: top
> cn: ssh
> gidNumber: 10009
> memberUid: testuser.discord.ca
>
> This isn't working.  This user, and any other user can ssh in, even 
> without being a member of the ssh group.  The check doesn't seem to be 
> working and I'm not sure what I'm doing wrong.
>
> I have an nss_ldap.conf which pam queries also, but will a config 
> explicitly configured as I have done above override the the 
> nss_ldap.conf?
>
> Any ideas?
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?09FBA43F-21CA-11D9-A2AF-000A95D6AB8E>