From owner-freebsd-questions@FreeBSD.ORG Mon Oct 18 05:07:37 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 265EC16A4CE for ; Mon, 18 Oct 2004 05:07:37 +0000 (GMT) Received: from mail.ebit.ca (ebit.ca [207.136.103.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7AD5D43D2F for ; Mon, 18 Oct 2004 05:07:36 +0000 (GMT) (envelope-from jason+lists.freebsd@lixfeld.ca) Received: from [192.168.100.66] (trek.lixfeld.ca [216.7.194.254]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail.ebit.ca (Postfix) with ESMTP id 6A53A3C8014 for ; Mon, 18 Oct 2004 01:07:35 -0400 (EDT) Mime-Version: 1.0 (Apple Message framework v619) Content-Transfer-Encoding: 7bit Message-Id: <9D1F1D64-20C3-11D9-8384-000A95D6AB8E@lixfeld.ca> Content-Type: text/plain; charset=US-ASCII; format=flowed To: freebsd-questions@freebsd.org From: Jason Lixfeld Date: Mon, 18 Oct 2004 01:07:31 -0400 X-Mailer: Apple Mail (2.619) Subject: pam_ldap authentication based on pam_groupdn X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 05:07:37 -0000 I'm wondering if someone can point out my error here. I've got PAM authenticating ssh users like so: auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so config=/usr/local/etc/openldap/ldap-ssh.conf debug try_first_pass auth required pam_unix.so no_warn try_first_pass account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so debug account required pam_unix.so session required pam_permit.so password sufficient /usr/local/lib/pam_ldap.so debug password required pam_unix.so no_warn try_first_pass bash-2.05b# cat /usr/local/etc/openldap/ldap-ssh.conf host 127.0.0.1 base dc=example,dc=com rootbinddn cn=proxyuser,dc=example,dc=com scope one #pam_filter objectclass=posixaccount #pam_login_attribute uid pam_groupdn cn=ssh,ou=groups,dc=example,dc=com pam_member_attribute memberuid pam_password SSHA nss_base_passwd ou=users,dc=example,dc=com?one nss_base_shadow ou=users,dc=example,dc=com?one nss_base_group ou=groups,dc=example,dc=com?one So I'm trying to permit users who are only members of the group "ssh". As per this ldap entry below, this user should be the only one permitted to ssh in: dn: cn=ssh,ou=groups,dc=example,dc=com objectClass: posixGroup objectClass: top cn: ssh gidNumber: 10009 memberUid: testuser.discord.ca This isn't working. This user, and any other user can ssh in, even without being a member of the ssh group. The check doesn't seem to be working and I'm not sure what I'm doing wrong. I have an nss_ldap.conf which pam queries also, but will a config explicitly configured as I have done above override the the nss_ldap.conf? Any ideas?