Date: Thu, 06 Sep 2007 15:58:12 +0200 From: Daniel Bond <db@danielbond.org> To: freebsd-security@freebsd.org Subject: [Resolved] Found a way of allowing pam_ldap users (with pam_groupdn or pam_check_host_attr restrictions), AND allowing local root authentication, without pam_unix.so taking presense due to getpwent() returns ldap-users Message-ID: <46E00774.3060704@danielbond.org>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I've been trying to get LDAP ssh authentication to work for a while, and I found a bug (http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/116150) in pam_unix.so, that breaks support for ldap-group/host-restrictions the ldap-way. I saw numerous emails about pam_groupdn-ldap-restrictions on the mailinglists dating back to 2001, but no resolution for how to get it playing, so this is a working fix, until pam_unix.so and pam_ldap.so plays well together: The recommended setup, UNIX and LDAP logins work, but groupdn/check_host_attr restrictions dosn't: account sufficient /usr/local/lib/pam_ldap.so account required pam_login_access.so account required pam_unix.so local_pass You want only LDAP users, and no local root-account, this works: account sufficient /usr/local/lib/pam_ldap.so account required pam_login_access.so account required pam_deny.so This is what I ended up as a quickfix, until pam_unix.so is playing right again: # account account sufficient /usr/local/lib/pam_ldap.so account required pam_login_access.so account required /usr/local/lib/pam_require.so root account required pam_unix.so local_pass This basicly restricts local accounts to the root-account, and honours ldap-pam-restrictions, that a user should explicitly have access to the machine. So one can still login with root-account if ldap-server(s) for some reason isn't authenticating properly. Hope this can be helpful to other users struggling with ldap-group/host restrictions, and don't have to spend as much time as I did debuging it. Regards, Daniel Bond, NSN ASA. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG4Ad0UR3pKhqN0EoRAheaAKCd7GRLVDzaa9NYkHY2+u5kNScV8gCeN21T r8XHQNqJgB0tYIuZUTIrIf8= =ChTy -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46E00774.3060704>