[389-users] Access.conf issue

Prashanth Sundaram psundaram at wgen.net
Thu Nov 19 17:28:30 UTC 2009 

The user is a part of both groupname and groupname2. I am in testing with
different combinations.

UsePAM yes is set in /etc/ssh/sshd_config

Reason for using pam_member_attribute uniquemember is because 389-ds groups
uses that attribute for group members.(see schema below) So to tell the
ldap.conf to look at that attribute to verify members.  CORRECT ME IF I AM
WRONG

This is the schema of my groups
dn: cn=GroupName,ou=Groups, dc=domain, dc=com
 gidNumber: 1010
 objectClass: top
 objectClass: groupOfUniqueNames
 objectClass: posixGroup
 uniqueMember: uid=username1,ou=People,dc=domain,dc=com
 uniqueMember: uid=username2,ou=People,dc=domain,dc=com
 cn: GroupName

True, I tried to put the account required pam_access.so to the pam.d/sshd,
but since it already includes the system-auth(which already has pam_access).
Hence I didn;t add manually to sshd.

/etc/pam.d/sshd
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
account    required     pam_access.so
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

What I am trying to accomplish?
I am trying to restrict  the ssh access to all our servers based on the
groupmembership of posixgroups(groupname1 & 2). So say if a user does not
belong to that project he/she should not be able to ssh to that box.

Extra info which might or not be related: I am using Primary Group for all
users as their uidNumber. I think it is called ³User Private Groups² where
each user¹s uidNumber and gidNumber are same. This is to facilitate the
file/folders ownership in their home folder by using umask 022.

Stpierre from #389 IRC channel suggested that the syntax for posixGroups in
access.conf is not @groupname. But to change it something like below.

- : ALL EXCEPT root groupname groupname2 : ALL


Thanks for you help.

-Prashanth

* From: "Tidwell Robert - rtidwe" <Robert Tidwell acxiom com>
* To: <fedora-directory-users redhat com>
* Subject: RE: [389-users] Access.conf issue
* Date: Wed, 18 Nov 2009 11:15:32 -0600

Title: Access.conf issue
Is your user a part of the groupname or groupname2 group?    And, is ³UsePAM
yes² and set in your sshd_config?   Although, I am not sure that the
pam_member_attribute uniquemember is going to work in this situation.  Pam
is looking to evaluate that the user is a member of the group that you
specify for ³pam_groupdn² in ldap.conf.    Based on what you are saying, you
are simply using pam_access to control ssh access to the server.  But
instead of the pam_access line being in system_auth, I have it in
/etc/pam.d/sshd, which it looks like yours is also based on the error
messages.      Robert

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20091119/1cf3817f/attachment.htm>

More information about the Fedora-directory-users mailing list