<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>Access.conf issue</title>
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="2050" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Is your user a part of the groupname or groupname2 group? <o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> And, is “UsePAM yes” and set in your
sshd_config?<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Although, I am not sure that the pam_member_attribute
uniquemember is going to work in this situation.  Pam is looking to
evaluate that the user is a member of the group that you specify for “pam_groupdn”
in ldap.conf.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> Based on what you are saying, you are simply using pam_access
to control ssh access to the server.  But instead of the pam_access line
being in system_auth, I have it in /etc/pam.d/sshd, which it looks like yours
is also based on the error messages.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>What exactly are you trying to accomplish?<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Robert<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<div>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#000099'>Robert M. Tidwell</span></b><span style='color:blue'>  </span><span
style='font-size:13.5pt;font-family:"Arial","sans-serif";color:#666666'>|</span><span
style='color:blue'> </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#666666'>System Engineer/Architect/Administrator</span><span
style='color:#1F497D'><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#666666;letter-spacing:2.0pt'>Acxiom Distributed Systems Central Arkansas</span><span
style='color:#1F497D'><o:p></o:p></span></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#666666'>00-1-501-342-4127 office
| 00-1-501-908-2790 cell | 00-1-501-342-3932 fax<br>
301East Dave Ward Drive | Conway, AR 72032 | USA | <a
href="http://www.acxiom.com">www.acxiom.com</a></span><span style='color:#1F497D'><o:p></o:p></span></p>

</div>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#666666'><img border=0 width=305 height=68 id="Picture_x0020_1"
src="cid:image001.gif@01CA6840.716CC5B0" alt="Acxiom_logo-18200993150"></span><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p>

<div>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] <b>On Behalf Of </b>Prashanth
Sundaram<br>
<b>Sent:</b> Wednesday, November 18, 2009 11:06 AM<br>
<b>To:</b> fedora-directory-users@redhat.com<br>
<b>Subject:</b> [389-users] Access.conf issue<o:p></o:p></span></p>

</div>

</div>

<p class=MsoNormal><o:p> </o:p></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>All,<br>
<br>
I have setup the ldapserver with PAM PassThrough and need help in figuring out
the access.conf without use of netgroups. Can I simply use the groups with
access.conf?<br>
<br>
I am only able to ssh as root, but not with any ldap account. I was able to ssh
before making changes for the pam_access.<br>
<br>
Here are the files I edited.<br>
<br>
/etc/ldap.conf<br>
<b><i>pam_member_attribute uniquemember  (since 389-ds uses uniquemember
for group membership)<br>
</i></b><i>uri ldap://ldap.domain.com:389/<br>
tls_checkpeer yes<br>
ssl start_tls<br>
tls_cacertdir /etc/openldap/cacerts<br>
pam_password md5<br>
tls_cacertfile /etc/pki/tls/certs/ca-cert.crt<br>
<br>
</i>/etc/security/access.conf<br>
<i>+ : root : ALL<br>
+ : @groupname : ALL<br>
+ : @groupname2 : ALL<br>
- : ALL : ALL<br>
<br>
</i>authconfig  --enableldap --enableldapauth --disablenis --enablecache
--ldapserver=ldap.domain.com --ldapbasedn=dc=ldapdomain,dc=com --enableldaptls
--disablekrb5 --krb5kdc=AD.ADdomain.com --krb5adminserver=AD.ADdomain.com
--krb5realm=ADDOMAIN.COM --enablekrb5kdcdns --enablekrb5realmdns <b>--enablepamaccess
</b>--enablemkhomedir --enablelocauthorize —updateall<br>
<br>
/etc/pam.d/system-auth<br>
:<br>
account     required   pam_access.so
accessfile=/etc/security/access.conf <br>
:<br>
<i><br>
</i>Here’s the error message I got. I see that krb5 is succeeding my password
but pam_access is blocking me.<br>
<i>pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=10.12.0.95  user=psundaram<br>
Nov 18 11:01:44 wgldap01 sshd[8995]:<b> pam_krb5[8995]: authentication succeeds
for 'psundaram' (<a href="psundaram@ADDOMAIN.COM">psundaram@ADDOMAIN.COM</a>)<br>
</b>Nov 18 11:01:45 wgldap01 sshd[8995]: pam_access(sshd:account): access
denied for user `psundaram' from `10.12.0.95'<br>
Nov 18 11:01:45 wgldap01 sshd[8995]: pam_access(sshd:account): access denied
for user `psundaram' from `10.12.0.95'<br>
Nov 18 11:01:45 wgldap01 sshd[8996]: fatal: Access denied for user psundaram by
PAM account configuration<br>
<br>
<br>
</i>Thanks,<br>
Prashanth</span> <o:p></o:p></p>

</div>

<pre>***************************************************************************
The information contained in this communication is confidential, is
intended only for the use of the recipient named above, and may be legally
privileged.

If the reader of this message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.

If you have received this communication in error, please resend this
communication to the sender and delete the original message or any copy
of it from your computer system.

Thank You.
****************************************************************************
</pre></body>

</html>