Date: Tue, 19 Oct 2004 08:26:01 -0400 From: Jason Lixfeld <jason+lists.freebsd@lixfeld.ca> To: freebsd-questions@freebsd.org Subject: Re: pam_ldap authentication based on pam_groupdn Message-ID: <09FBA43F-21CA-11D9-A2AF-000A95D6AB8E@lixfeld.ca> In-Reply-To: <9D1F1D64-20C3-11D9-8384-000A95D6AB8E@lixfeld.ca> References: <9D1F1D64-20C3-11D9-8384-000A95D6AB8E@lixfeld.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi. Anyone have any insight on this? On 18-Oct-04, at 1:07 AM, Jason Lixfeld wrote: > I'm wondering if someone can point out my error here. I've got PAM > authenticating ssh users like so: > > auth required pam_nologin.so no_warn > auth sufficient pam_opie.so > no_warn no_fake_prompts > auth requisite pam_opieaccess.so > no_warn allow_local > auth sufficient /usr/local/lib/pam_ldap.so > config=/usr/local/etc/openldap/ldap-ssh.conf debug try_first_pass > auth required pam_unix.so > no_warn try_first_pass > account required pam_login_access.so > account sufficient /usr/local/lib/pam_ldap.so debug > account required pam_unix.so > session required pam_permit.so > password sufficient /usr/local/lib/pam_ldap.so debug > password required pam_unix.so > no_warn try_first_pass > > bash-2.05b# cat /usr/local/etc/openldap/ldap-ssh.conf > host 127.0.0.1 > base dc=example,dc=com > rootbinddn cn=proxyuser,dc=example,dc=com > scope one > #pam_filter objectclass=posixaccount > #pam_login_attribute uid > pam_groupdn cn=ssh,ou=groups,dc=example,dc=com > pam_member_attribute memberuid > pam_password SSHA > nss_base_passwd ou=users,dc=example,dc=com?one > nss_base_shadow ou=users,dc=example,dc=com?one > nss_base_group ou=groups,dc=example,dc=com?one > > So I'm trying to permit users who are only members of the group "ssh". > As per this ldap entry below, this user should be the only one > permitted to ssh in: > > dn: cn=ssh,ou=groups,dc=example,dc=com > objectClass: posixGroup > objectClass: top > cn: ssh > gidNumber: 10009 > memberUid: testuser.discord.ca > > This isn't working. This user, and any other user can ssh in, even > without being a member of the ssh group. The check doesn't seem to be > working and I'm not sure what I'm doing wrong. > > I have an nss_ldap.conf which pam queries also, but will a config > explicitly configured as I have done above override the the > nss_ldap.conf? > > Any ideas? > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?09FBA43F-21CA-11D9-A2AF-000A95D6AB8E>