From owner-freebsd-current@FreeBSD.ORG Mon Apr 27 07:49:30 2009 Return-Path: Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC2B51065670; Mon, 27 Apr 2009 07:49:30 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id 968588FC1C; Mon, 27 Apr 2009 07:49:30 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost1.zedat.fu-berlin.de (Exim 4.69) with esmtp (envelope-from ) id <1LyLaj-0004HS-M4>; Mon, 27 Apr 2009 09:49:29 +0200 Received: from telesto.geoinf.fu-berlin.de ([130.133.86.198]) by inpost2.zedat.fu-berlin.de (Exim 4.69) with esmtpsa (envelope-from ) id <1LyLaj-0002Xv-Kk>; Mon, 27 Apr 2009 09:49:29 +0200 Message-ID: <49F56337.8040900@zedat.fu-berlin.de> Date: Mon, 27 Apr 2009 07:48:07 +0000 From: "O. Hartmann" Organization: Freie =?ISO-8859-15?Q?Universit=E4t_Berlin?= User-Agent: Thunderbird 2.0.0.21 (X11/20090417) MIME-Version: 1.0 To: freebsd-questions@freebsd.org, freebsd-current@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: 130.133.86.198 Cc: Subject: PAM/ldap_pam/NFSv4: How let users of a speicific group log into a specific box? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Apr 2009 07:49:31 -0000 Hello. I run into a specific problem and for several months of experiments I havn't found a solution, yet. This is what I wish to get and need: A simple capability of selecting users into a specific group. Members of such a group should then log into a set of specific hosts. Infrastructure is FreeBSD 8.0-CURRENT/amd64 and some 7.2-STABLE boxes (acting as server) as well as OpenLDAP backend. Authentication on boxes is done via PAM/ldap_pam. But it is on FreeBSD's side a vanilla configuration, not very sophisticated. Users autheticate and authorize against an OpenLDAP server residing on another box. pam_ldap in its most recent ports-version offers, as the manpage claims, a facility enabling group logins (resides in /usr/local/etc/ldap.conf): # Group to enforce membership of pam_groupdn cn=mygroup,ou=groups,dc=foo,dc=org?sub # Group member attribute #pam_member_attribute uniqueMember pam_member_attribute memberUid Within the DIT of the OpenLDAP server ou=groups exists and contains also a group called 'mygroup' with a multi-value attribute (as required), in this case memberUid. Using pam_ldap.so as a 'required' module is not appreciated, so there seems a problem to me with the stack order - should say: I need a LDAP solution. pam_group doesn't work for me: auth required/requisite pam_group.so no_warn group=mygroup Can anybody help or do have hints? Please remember I do not belon g to the 'questions' list, so please put me into your mail-cc. Regards, Oliver