From owner-freebsd-questions@FreeBSD.ORG Tue Oct 19 12:26:06 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C16C916A4CE for ; Tue, 19 Oct 2004 12:26:06 +0000 (GMT) Received: from mail.ebit.ca (ebit.ca [207.136.103.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 782F243D41 for ; Tue, 19 Oct 2004 12:26:06 +0000 (GMT) (envelope-from jason+lists.freebsd@lixfeld.ca) Received: from [192.168.100.66] (trek.lixfeld.ca [216.7.194.254]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail.ebit.ca (Postfix) with ESMTP id 15A4C3C8013 for ; Tue, 19 Oct 2004 08:26:06 -0400 (EDT) Mime-Version: 1.0 (Apple Message framework v619) In-Reply-To: <9D1F1D64-20C3-11D9-8384-000A95D6AB8E@lixfeld.ca> References: <9D1F1D64-20C3-11D9-8384-000A95D6AB8E@lixfeld.ca> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <09FBA43F-21CA-11D9-A2AF-000A95D6AB8E@lixfeld.ca> Content-Transfer-Encoding: 7bit From: Jason Lixfeld Date: Tue, 19 Oct 2004 08:26:01 -0400 To: freebsd-questions@freebsd.org X-Mailer: Apple Mail (2.619) Subject: Re: pam_ldap authentication based on pam_groupdn X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2004 12:26:06 -0000 Hi. Anyone have any insight on this? On 18-Oct-04, at 1:07 AM, Jason Lixfeld wrote: > I'm wondering if someone can point out my error here. I've got PAM > authenticating ssh users like so: > > auth required pam_nologin.so no_warn > auth sufficient pam_opie.so > no_warn no_fake_prompts > auth requisite pam_opieaccess.so > no_warn allow_local > auth sufficient /usr/local/lib/pam_ldap.so > config=/usr/local/etc/openldap/ldap-ssh.conf debug try_first_pass > auth required pam_unix.so > no_warn try_first_pass > account required pam_login_access.so > account sufficient /usr/local/lib/pam_ldap.so debug > account required pam_unix.so > session required pam_permit.so > password sufficient /usr/local/lib/pam_ldap.so debug > password required pam_unix.so > no_warn try_first_pass > > bash-2.05b# cat /usr/local/etc/openldap/ldap-ssh.conf > host 127.0.0.1 > base dc=example,dc=com > rootbinddn cn=proxyuser,dc=example,dc=com > scope one > #pam_filter objectclass=posixaccount > #pam_login_attribute uid > pam_groupdn cn=ssh,ou=groups,dc=example,dc=com > pam_member_attribute memberuid > pam_password SSHA > nss_base_passwd ou=users,dc=example,dc=com?one > nss_base_shadow ou=users,dc=example,dc=com?one > nss_base_group ou=groups,dc=example,dc=com?one > > So I'm trying to permit users who are only members of the group "ssh". > As per this ldap entry below, this user should be the only one > permitted to ssh in: > > dn: cn=ssh,ou=groups,dc=example,dc=com > objectClass: posixGroup > objectClass: top > cn: ssh > gidNumber: 10009 > memberUid: testuser.discord.ca > > This isn't working. This user, and any other user can ssh in, even > without being a member of the ssh group. The check doesn't seem to be > working and I'm not sure what I'm doing wrong. > > I have an nss_ldap.conf which pam queries also, but will a config > explicitly configured as I have done above override the the > nss_ldap.conf? > > Any ideas? > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"