From owner-freebsd-current@FreeBSD.ORG Fri Apr 24 20:58:42 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A389F1065674; Fri, 24 Apr 2009 20:58:42 +0000 (UTC) (envelope-from ohartman@mail.zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id 5EF548FC28; Fri, 24 Apr 2009 20:58:42 +0000 (UTC) (envelope-from ohartman@mail.zedat.fu-berlin.de) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost1.zedat.fu-berlin.de (Exim 4.69) with esmtp (envelope-from ) id <1LxSTp-0003yx-E6>; Fri, 24 Apr 2009 22:58:41 +0200 Received: from e178061095.adsl.alicedsl.de ([85.178.61.95] helo=thor.walstatt.dyndns.org) by inpost2.zedat.fu-berlin.de (Exim 4.69) with esmtpsa (envelope-from ) id <1LxSTp-0000mn-B8>; Fri, 24 Apr 2009 22:58:41 +0200 Message-ID: <49F2281D.7030109@mail.zedat.fu-berlin.de> Date: Fri, 24 Apr 2009 22:59:09 +0200 From: "O. Hartmann" User-Agent: Thunderbird 2.0.0.21 (X11/20090410) MIME-Version: 1.0 To: freebsd-current@freebsd.org, freebsd-questions@freebsd.org X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Originating-IP: 85.178.61.95 X-Mailman-Approved-At: Fri, 24 Apr 2009 21:34:00 +0000 Cc: Subject: pam_groupdn/pam_member_attribute does not with OpenLDAP/PAM and FreeBSD. Why? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Apr 2009 20:58:43 -0000 On our FreeBSD 7.2/8.0 driven infrastructure we use OpenLDAP: openldap-sasl-client-2.4.16 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.16 Open source LDAP server implementation pam_ldap-1.8.4_1 A pam module for authenticating with LDAP >From O'Reilly's OpenLDAP book and other sources I got the information, that tha tags pam_groupdn pam_member_attribute can be used in conjunction with 'uid' to restrict access to a specific host to those which are member of the group specified by pam_groupdn, as long as the group object supports multi-value-attributes like memberUid. Well, this is not working with FreeBSD any way! Suppose I define in /usr/local/etc/ldap.conf pam_groupdn cn=myGroup,ou=groups,dc=foo,dc=bar (objectClass: posixGroup) pam_member_attribute memberUid And within this group there is my memberUid: memberUid: ohartmann Now I try to login to the specific box and get the warning: You must be a memberUid of cn=myGroup,ou=groups,dc=foo,dc=bar to login. ... and I can login, no tmatter whether I'm in the group or not. What ist happening here? Why is the documentaion telling me this should work and why isn't FreeBSD/PAM doing so? I'm confused! Any help appreciated. Oliver