[389-users] Access.conf issue

Tidwell Robert - rtidwe Robert.Tidwell at acxiom.com
Wed Nov 18 17:15:32 UTC 2009

Is your user a part of the groupname or groupname2 group? 


 And, is "UsePAM yes" and set in your sshd_config?


Although, I am not sure that the pam_member_attribute uniquemember is
going to work in this situation.  Pam is looking to evaluate that the
user is a member of the group that you specify for "pam_groupdn" in


 Based on what you are saying, you are simply using pam_access to
control ssh access to the server.  But instead of the pam_access line
being in system_auth, I have it in /etc/pam.d/sshd, which it looks like
yours is also based on the error messages.


What exactly are you trying to accomplish?




Robert M. Tidwell  | System Engineer/Architect/Administrator

Acxiom Distributed Systems Central Arkansas

00-1-501-342-4127 office | 00-1-501-908-2790 cell | 00-1-501-342-3932
301East Dave Ward Drive | Conway, AR 72032 | USA | www.acxiom.com


From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of
Prashanth Sundaram
Sent: Wednesday, November 18, 2009 11:06 AM
To: fedora-directory-users at redhat.com
Subject: [389-users] Access.conf issue



I have setup the ldapserver with PAM PassThrough and need help in
figuring out the access.conf without use of netgroups. Can I simply use
the groups with access.conf?

I am only able to ssh as root, but not with any ldap account. I was able
to ssh before making changes for the pam_access.

Here are the files I edited.

pam_member_attribute uniquemember  (since 389-ds uses uniquemember for
group membership)
uri ldap://ldap.domain.com:389/
tls_checkpeer yes
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5
tls_cacertfile /etc/pki/tls/certs/ca-cert.crt

+ : root : ALL
+ : @groupname : ALL
+ : @groupname2 : ALL
- : ALL : ALL

authconfig  --enableldap --enableldapauth --disablenis --enablecache
--ldapserver=ldap.domain.com --ldapbasedn=dc=ldapdomain,dc=com
--enableldaptls --disablekrb5 --krb5kdc=AD.ADdomain.com
--krb5adminserver=AD.ADdomain.com --krb5realm=ADDOMAIN.COM
--enablekrb5kdcdns --enablekrb5realmdns --enablepamaccess
--enablemkhomedir --enablelocauthorize -updateall

account     required   pam_access.so

Here's the error message I got. I see that krb5 is succeeding my
password but pam_access is blocking me.
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=  user=psundaram
Nov 18 11:01:44 wgldap01 sshd[8995]: pam_krb5[8995]: authentication
succeeds for 'psundaram' (psundaram at ADDOMAIN.COM)
Nov 18 11:01:45 wgldap01 sshd[8995]: pam_access(sshd:account): access
denied for user `psundaram' from `'
Nov 18 11:01:45 wgldap01 sshd[8995]: pam_access(sshd:account): access
denied for user `psundaram' from `'
Nov 18 11:01:45 wgldap01 sshd[8996]: fatal: Access denied for user
psundaram by PAM account configuration


The information contained in this communication is confidential, is
intended only for the use of the recipient named above, and may be legally

If the reader of this message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.

If you have received this communication in error, please resend this
communication to the sender and delete the original message or any copy
of it from your computer system.

Thank You.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20091118/6766912d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2865 bytes
Desc: image001.gif
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20091118/6766912d/attachment.gif>

More information about the Fedora-directory-users mailing list