From owner-freebsd-security@FreeBSD.ORG Thu Sep 6 14:25:05 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2297816A419 for ; Thu, 6 Sep 2007 14:25:05 +0000 (UTC) (envelope-from db@danielbond.org) Received: from mail.nsn.no (mailtwo.nsn.no [62.89.38.161]) by mx1.freebsd.org (Postfix) with SMTP id 7CDE413C480 for ; Thu, 6 Sep 2007 14:25:02 +0000 (UTC) (envelope-from db@danielbond.org) Received: (qmail 66092 invoked by uid 0); 6 Sep 2007 13:58:12 -0000 Received: from unknown (HELO ?172.16.3.90?) (85.95.44.187) by mail.nsn.no with SMTP; 6 Sep 2007 13:58:12 -0000 Message-ID: <46E00774.3060704@danielbond.org> Date: Thu, 06 Sep 2007 15:58:12 +0200 From: Daniel Bond User-Agent: Thunderbird 1.5.0.12 (Windows/20070509) MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 0.94.2.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [Resolved] Found a way of allowing pam_ldap users (with pam_groupdn or pam_check_host_attr restrictions), AND allowing local root authentication, without pam_unix.so taking presense due to getpwent() returns ldap-users X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 14:25:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I've been trying to get LDAP ssh authentication to work for a while, and I found a bug (http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/116150) in pam_unix.so, that breaks support for ldap-group/host-restrictions the ldap-way. I saw numerous emails about pam_groupdn-ldap-restrictions on the mailinglists dating back to 2001, but no resolution for how to get it playing, so this is a working fix, until pam_unix.so and pam_ldap.so plays well together: The recommended setup, UNIX and LDAP logins work, but groupdn/check_host_attr restrictions dosn't: account sufficient /usr/local/lib/pam_ldap.so account required pam_login_access.so account required pam_unix.so local_pass You want only LDAP users, and no local root-account, this works: account sufficient /usr/local/lib/pam_ldap.so account required pam_login_access.so account required pam_deny.so This is what I ended up as a quickfix, until pam_unix.so is playing right again: # account account sufficient /usr/local/lib/pam_ldap.so account required pam_login_access.so account required /usr/local/lib/pam_require.so root account required pam_unix.so local_pass This basicly restricts local accounts to the root-account, and honours ldap-pam-restrictions, that a user should explicitly have access to the machine. So one can still login with root-account if ldap-server(s) for some reason isn't authenticating properly. Hope this can be helpful to other users struggling with ldap-group/host restrictions, and don't have to spend as much time as I did debuging it. Regards, Daniel Bond, NSN ASA. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG4Ad0UR3pKhqN0EoRAheaAKCd7GRLVDzaa9NYkHY2+u5kNScV8gCeN21T r8XHQNqJgB0tYIuZUTIrIf8= =ChTy -----END PGP SIGNATURE-----