From owner-freebsd-questions@FreeBSD.ORG Thu Oct 6 21:24:06 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F25C216A41F for ; Thu, 6 Oct 2005 21:24:05 +0000 (GMT) (envelope-from lavalamp@spiritual-machines.org) Received: from mail.digitalfreaks.org (arbitor.digitalfreaks.org [216.151.95.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4479E43D55 for ; Thu, 6 Oct 2005 21:24:04 +0000 (GMT) (envelope-from lavalamp@spiritual-machines.org) Received: by mail.digitalfreaks.org (Postfix, from userid 1022) id B0E111141B; Thu, 6 Oct 2005 17:24:03 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by mail.digitalfreaks.org (Postfix) with ESMTP id AF77D1141A; Thu, 6 Oct 2005 17:24:03 -0400 (EDT) Date: Thu, 6 Oct 2005 17:24:03 -0400 (EDT) From: "Brian A. Seklecki" X-X-Sender: lavalamp@arbitor.digitalfreaks.org To: ldap@listserver.gpcc.itd.umich.edu, freebsd-questions@freebsd.org, jason@lixfeld.ca, Joerg Pulz , jesk@killall.org In-Reply-To: <20051006164231.R95280@arbitor.digitalfreaks.org> Message-ID: <20051006171215.S95280@arbitor.digitalfreaks.org> References: <20051006164231.R95280@arbitor.digitalfreaks.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: Re: LDAP + PAM + pam_groupdn / pam_member_attribute (revisited) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2005 21:24:06 -0000 This should be so insanely easy. I'm relatively certain this a FreeBSD PAM specific issue. From "LDAP system administration [electronic resource] / Gerald Carter. 1st ed. Beijing ; Sebastopol, CA : O'Reilly, c2003." ....in ldap.conf and nss_ldap.conf -- # Group to enforce membership of pam_groupdn cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com # Group member attribute pam_member_attribute memberUid --- ...and then in LDAP, have an object, *ANY* object will function as a "group", as long as it supports a multi-value attribute, in this case memberUid such as a posixGroup: # groupName, posixGroups, priv, root, dn dn: cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com cn: cfdev objectClass: posixGroup objectClass: top gidNumber: 65532 memberUid: user1 memberUid: user2 memberUid: user3 memberUid: user4 memberUid: user5 memberUid: user6 ...this result returned by the same search I'm asking PAM to do: $ ldapsearch -D "cn=bofh,dc=root,dc=com" -b dc=root,dc=com -H ldap://ldapserver -Z -W "(objectClass=posixGroup)" Then adjust for PAM in SSHD: # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so account required pam_login_access.so account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so #session sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass #password required /usr/local/lib/pam_ldap.so no_warn try_first_pass ...when I change "account ..pam_ldap.so" to sufficient, it allows users in who aren't in the required group (as it should if the check fails). When I change it to required, it doesn't let them in, but there isn't a single useful debugging error message. How could something so widely used as PAM make it into the wild without hooks for debugging? ~BAS On Thu, 6 Oct 2005, Brian A. Seklecki wrote: > > Did anyone every get this combination working? > > Is 'pam_member_attribute' supposed to be uniqueMember or memberUid? > > When you look at a postGroup entity, the multi-value attribute is memberUid! > > Is there *any* way at all get debugging information out of PAM libraries, or > is it just so insanely esoteric that it's not an option? > > My favorite thing about PADL's documentation by far is the lack of examples. > > ~BAS >:} > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8