<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="
" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>RE: [389-users] Access.conf issue</title>
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
 /* List Definitions */
 @list l0
        {mso-list-id:2048096871;
        mso-list-template-ids:694058870;}
@list l0:level1
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:.5in;
        mso-level-number-position:left;
        text-indent:-.25in;
        mso-ansi-font-size:10.0pt;
        font-family:Symbol;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="2050" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Pam_member_attribute is specific to pam_ldap and, according to
the man page for pam_ldap, is only evaluated if the pam_groupdn option is
specified.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>As far as “LDAP” posixgroups in
/etc/security/access.conf, I can assure you that the way  StPierre
described below will work.  I am using that same type of setup on top of
the pam_groupdn in /etc/ldap.conf. <o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Good luck.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>

<div>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#000099'>Robert M. Tidwell</span></b><span style='color:blue'>  </span><span
style='font-size:13.5pt;font-family:"Arial","sans-serif";color:#666666'>|</span><span
style='color:blue'> </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#666666'>System Engineer/Architect/Administrator</span><span
style='color:#1F497D'><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#666666;letter-spacing:2.0pt'>Acxiom Distributed Systems Central Arkansas</span><span
style='color:#1F497D'><o:p></o:p></span></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#666666'>00-1-501-342-4127 office
| 00-1-501-908-2790 cell | 00-1-501-342-3932 fax<br>
301East Dave Ward Drive | Conway, AR 72032 | USA | <a
href="http://www.acxiom.com"><span style='color:blue'>www.acxiom.com</span></a></span><span
style='color:#1F497D'><o:p></o:p></span></p>

</div>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#666666'><img border=0 width=305 height=68 id="Picture_x0020_1"
src="cid:image001.gif@01CA691F.EBE00430" alt="Acxiom_logo-18200993150"></span><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p>

<div>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] <b>On Behalf Of </b>Prashanth
Sundaram<br>
<b>Sent:</b> Thursday, November 19, 2009 11:29 AM<br>
<b>To:</b> fedora-directory-users@redhat.com<br>
<b>Cc:</b> Rober.Tidwell@acxiom.com<br>
<b>Subject:</b> RE: [389-users] Access.conf issue<o:p></o:p></span></p>

</div>

</div>

<p class=MsoNormal><o:p> </o:p></p>

<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif"'><br>
The user is a part of both groupname and groupname2. I am in testing with
different combinations.<br>
<br>
<i>UsePAM yes </i>is set in /etc/ssh/sshd_config<br>
<br>
Reason for using pam_member_attribute uniquemember is because 389-ds groups
uses that attribute for group members.(see schema below) So to tell the
ldap.conf to look at that attribute to verify members.  CORRECT ME IF I AM
WRONG<br>
<br>
This is the schema of my groups<br>
<i>dn: cn=GroupName,ou=Groups, dc=domain, dc=com<br>
 gidNumber: 1010<br>
 objectClass: top<br>
 objectClass: groupOfUniqueNames<br>
 objectClass: posixGroup<br>
<b>uniqueMember:</b> uid=username1,ou=People,dc=domain,dc=com<br>
 uniqueMember: uid=username2,ou=People,dc=domain,dc=com<br>
 cn: GroupName<br>
</i><br>
True, I tried to put the<i> account required pam_access.so </i>to the
pam.d/sshd, but since it already includes the <i>system-auth</i>(which already
has pam_access). Hence I didn;t add manually to sshd.<br>
<br>
/etc/pam.d/sshd<br>
<b><i>auth       include
     system-auth<br>
</i></b><i>account    required
    pam_nologin.so<br>
account    include      system-auth<br>
account    required     pam_access.so<br>
password   include      system-auth<br>
session    optional     pam_keyinit.so force
revoke<br>
session    include      system-auth<br>
session    required     pam_loginuid.so<br>
</i><br>
<b>What I am trying to accomplish?<br>
</b>I am trying to restrict  the ssh access to all our servers based on
the groupmembership of posixgroups(groupname1 & 2). So say if a user does
not belong to that project he/she should not be able to ssh to that box. <br>
<br>
<b>Extra info which might or not be related</b>: I am using Primary Group for
all users as their uidNumber. I think it is called “User Private
Groups” where each user’s uidNumber and gidNumber are same. This is
to facilitate the file/folders ownership in their home folder by using umask
022.<br>
<br>
Stpierre from #389 IRC channel suggested that the syntax for posixGroups in
access.conf is not @groupname. But to change it something like below.<br>
<br>
- : ALL EXCEPT root groupname groupname2 : ALL<br>
<br>
<br>
Thanks for you help.<br>
<br>
-Prashanth</span><o:p></o:p></p>

<ul type=disc>
 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
     mso-list:l0 level1 lfo1'><i><span style='font-size:11.0pt;font-family:
     "Calibri","sans-serif"'>From</span></i><span style='font-size:11.0pt;
     font-family:"Calibri","sans-serif"'>: "Tidwell Robert - rtidwe"
     <Robert Tidwell acxiom com> </span><o:p></o:p></li>
 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
     mso-list:l0 level1 lfo1'><i><span style='font-size:11.0pt;font-family:
     "Calibri","sans-serif"'>To</span></i><span style='font-size:11.0pt;
     font-family:"Calibri","sans-serif"'>: <fedora-directory-users redhat
     com> </span><o:p></o:p></li>
 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
     mso-list:l0 level1 lfo1'><i><span style='font-size:11.0pt;font-family:
     "Calibri","sans-serif"'>Subject</span></i><span style='font-size:11.0pt;
     font-family:"Calibri","sans-serif"'>: RE: [389-users] Access.conf issue </span><o:p></o:p></li>
 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
     mso-list:l0 level1 lfo1'><i><span style='font-size:11.0pt;font-family:
     "Calibri","sans-serif"'>Date</span></i><span style='font-size:11.0pt;
     font-family:"Calibri","sans-serif"'>: Wed, 18 Nov 2009 11:15:32 -0600 </span><o:p></o:p></li>
</ul>

<div class=MsoNormal align=center style='text-align:center'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>

<hr size=3 width="100%" align=center>

</span></div>

<p class=MsoNormal><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Title:
<b>Access.conf issue</b></span></i><span style='font-size:11.0pt;font-family:
"Calibri","sans-serif"'> <br>
Is your user a part of the groupname or groupname2 group?    And, is
“UsePAM yes” and set in your sshd_config?   Although, I am not
sure that the pam_member_attribute uniquemember is going to work in this
situation.  Pam is looking to evaluate that the user is a member of the
group that you specify for “pam_groupdn” in ldap.conf.  
 Based on what you are saying, you are simply using pam_access to control
ssh access to the server.  But instead of the pam_access line being in
system_auth, I have it in /etc/pam.d/sshd, which it looks like yours is also
based on the error messages.      Robert</span><o:p></o:p></p>

</div>

<pre>***************************************************************************
The information contained in this communication is confidential, is
intended only for the use of the recipient named above, and may be legally
privileged.

If the reader of this message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.

If you have received this communication in error, please resend this
communication to the sender and delete the original message or any copy
of it from your computer system.

Thank You.
****************************************************************************
</pre></body>

</html>