[Fedora-directory-users] Apache Auth/pam_check_host_attr?

Brian Kosick bkosick at mxlogic.com
Thu Jan 4 20:05:58 UTC 2007 

On Wed, 2007-01-03 at 17:03 -0700, Brian Kosick wrote:
> Hi All,
> 
> I've been using FDS for quite a while now, and I'd just like to say I
> love it great job!  I'm posting this question because I've been banging
> my head for awhile about it.
> 
> I'm using FDS as the central Auth server in a pretty much all RH/FC
> environment, and currently use pam_check_host_attr to control which
> users are allowed to login to which servers.   All was working great
> until I upgraded our internal WWW server from RHEL3 to FC6.   The WWW
> server is/was using mod_authz_ldap apache module to control what groups
> were allowed to login to certain sections of the website, after the
> upgrade to FC6, group restrictions stopped working.  Basically, apache
> +mod_authz_ldap started denying users that didn't have the WWW server in
> the hosts attribute.
> 
> My goal is to allow/dis-allow SSH/telnet etc etc using
> pam_check_host_attr, but still allow them to login to the http areas of
> the server using ldap groups.
> 
> Here's my authz_ldap conf
> 
> <Directory /var/TEMP/>
>       AuthType                  Basic
>       AuthName                  "Temporary Folder to Disseminate files"
> 
>       AuthzLDAPAuthoritative    On
>       AuthzLDAPMethod           ldap
>       AuthzLDAPProtocolversion  3
>       #AuthzLDAPLogLevel         debug
>       AuthzLDAPServer           server.domain.com
> 
>       AuthzLDAPUserBase         ou=People,dc=corp,dc=domain,dc=com
>       AuthzLDAPUserKey          uid
> 
>       AuthzLDAPGroupBase        ou=Groups,dc=corp,dc=domain,dc=com
>       AuthzLDAPGroupkey         cn
>       AuthzLDAPMemberKey        uniquemember
>       AuthzLDAPSetGroupAuth     ldapdn
> 
>       Require group qausers dev ops psg threat se
> 
>    </Directory>
> 
> Like I said this used to work the way I wanted with RHEL3 and an older
> version of mod_authz_ldap, can anyone point the way for me?  Now with
> FC6 and the authz_ldap that comes with it, I get the error in the
> httpd_error.log:
> 
> [error] [client 10.30.0.200] PAM: user 'test'  - invalid account:
> Permission denied
> 
> Now, it only works when I add the FQDN for the WWW server to the users
> hosts attribute.  But then the user can SSH to the server also (which I
> don't want).
> 
> 
> Also asking a second question, can you use hostobject or account with
> groups in order to restrict logins using pam_check_host_attr?
> 
> 
> I thank you in advance for any pointers, suggestions, or kicks to the
> head that will help me resolve my problem.
> 
Dang I smoke some good crack.   I figured it out.   I had accidentally?
installed the mod_auth_pam rpm, I rpm -e 'd it, and restarted httpd, and
it works like I want it to.

It looks like the mod_auth_pam rpm forces the ldap queries to go through
system pam which was enforcing my pam_check_host_attr setting.

However I would still like to know if I can use hostObject and hosts
with a Group and whether or not that will satisfy the
pam_check_host_attr requirement.

Thanks,

-- 
Brian Kosick
bkosick at mxlogic.com
720-895-5449

More information about the Fedora-directory-users mailing list