[Fedora-directory-users] Apache Auth/pam_check_host_attr?
Brian Kosick
bkosick at mxlogic.com
Thu Jan 4 20:05:58 UTC 2007
On Wed, 2007-01-03 at 17:03 -0700, Brian Kosick wrote:
> Hi All,
>
> I've been using FDS for quite a while now, and I'd just like to say I
> love it great job! I'm posting this question because I've been banging
> my head for awhile about it.
>
> I'm using FDS as the central Auth server in a pretty much all RH/FC
> environment, and currently use pam_check_host_attr to control which
> users are allowed to login to which servers. All was working great
> until I upgraded our internal WWW server from RHEL3 to FC6. The WWW
> server is/was using mod_authz_ldap apache module to control what groups
> were allowed to login to certain sections of the website, after the
> upgrade to FC6, group restrictions stopped working. Basically, apache
> +mod_authz_ldap started denying users that didn't have the WWW server in
> the hosts attribute.
>
> My goal is to allow/dis-allow SSH/telnet etc etc using
> pam_check_host_attr, but still allow them to login to the http areas of
> the server using ldap groups.
>
> Here's my authz_ldap conf
>
> <Directory /var/TEMP/>
> AuthType Basic
> AuthName "Temporary Folder to Disseminate files"
>
> AuthzLDAPAuthoritative On
> AuthzLDAPMethod ldap
> AuthzLDAPProtocolversion 3
> #AuthzLDAPLogLevel debug
> AuthzLDAPServer server.domain.com
>
> AuthzLDAPUserBase ou=People,dc=corp,dc=domain,dc=com
> AuthzLDAPUserKey uid
>
> AuthzLDAPGroupBase ou=Groups,dc=corp,dc=domain,dc=com
> AuthzLDAPGroupkey cn
> AuthzLDAPMemberKey uniquemember
> AuthzLDAPSetGroupAuth ldapdn
>
> Require group qausers dev ops psg threat se
>
> </Directory>
>
> Like I said this used to work the way I wanted with RHEL3 and an older
> version of mod_authz_ldap, can anyone point the way for me? Now with
> FC6 and the authz_ldap that comes with it, I get the error in the
> httpd_error.log:
>
> [error] [client 10.30.0.200] PAM: user 'test' - invalid account:
> Permission denied
>
> Now, it only works when I add the FQDN for the WWW server to the users
> hosts attribute. But then the user can SSH to the server also (which I
> don't want).
>
>
> Also asking a second question, can you use hostobject or account with
> groups in order to restrict logins using pam_check_host_attr?
>
>
> I thank you in advance for any pointers, suggestions, or kicks to the
> head that will help me resolve my problem.
>
Dang I smoke some good crack. I figured it out. I had accidentally?
installed the mod_auth_pam rpm, I rpm -e 'd it, and restarted httpd, and
it works like I want it to.
It looks like the mod_auth_pam rpm forces the ldap queries to go through
system pam which was enforcing my pam_check_host_attr setting.
However I would still like to know if I can use hostObject and hosts
with a Group and whether or not that will satisfy the
pam_check_host_attr requirement.
Thanks,
--
Brian Kosick
bkosick at mxlogic.com
720-895-5449
More information about the Fedora-directory-users
mailing list