[389-users] Access.conf issue

Tidwell Robert - rtidwe Robert.Tidwell at acxiom.com
Thu Nov 19 19:55:15 UTC 2009

Pam_member_attribute is specific to pam_ldap and, according to the man
page for pam_ldap, is only evaluated if the pam_groupdn option is


As far as "LDAP" posixgroups in /etc/security/access.conf, I can assure
you that the way  StPierre described below will work.  I am using that
same type of setup on top of the pam_groupdn in /etc/ldap.conf. 


Good luck.


Robert M. Tidwell  | System Engineer/Architect/Administrator

Acxiom Distributed Systems Central Arkansas

00-1-501-342-4127 office | 00-1-501-908-2790 cell | 00-1-501-342-3932
301East Dave Ward Drive | Conway, AR 72032 | USA | www.acxiom.com


From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of
Prashanth Sundaram
Sent: Thursday, November 19, 2009 11:29 AM
To: fedora-directory-users at redhat.com
Cc: Rober.Tidwell at acxiom.com
Subject: RE: [389-users] Access.conf issue


The user is a part of both groupname and groupname2. I am in testing
with different combinations.

UsePAM yes is set in /etc/ssh/sshd_config

Reason for using pam_member_attribute uniquemember is because 389-ds
groups uses that attribute for group members.(see schema below) So to
tell the ldap.conf to look at that attribute to verify members.  CORRECT

This is the schema of my groups
dn: cn=GroupName,ou=Groups, dc=domain, dc=com
 gidNumber: 1010
 objectClass: top
 objectClass: groupOfUniqueNames
 objectClass: posixGroup
uniqueMember: uid=username1,ou=People,dc=domain,dc=com
 uniqueMember: uid=username2,ou=People,dc=domain,dc=com
 cn: GroupName

True, I tried to put the account required pam_access.so to the
pam.d/sshd, but since it already includes the system-auth(which already
has pam_access). Hence I didn;t add manually to sshd.

auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
account    required     pam_access.so
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

What I am trying to accomplish?
I am trying to restrict  the ssh access to all our servers based on the
groupmembership of posixgroups(groupname1 & 2). So say if a user does
not belong to that project he/she should not be able to ssh to that box.

Extra info which might or not be related: I am using Primary Group for
all users as their uidNumber. I think it is called "User Private Groups"
where each user's uidNumber and gidNumber are same. This is to
facilitate the file/folders ownership in their home folder by using
umask 022.

Stpierre from #389 IRC channel suggested that the syntax for posixGroups
in access.conf is not @groupname. But to change it something like below.

- : ALL EXCEPT root groupname groupname2 : ALL

Thanks for you help.


*	From: "Tidwell Robert - rtidwe" <Robert Tidwell acxiom com> 
*	To: <fedora-directory-users redhat com> 
*	Subject: RE: [389-users] Access.conf issue 
*	Date: Wed, 18 Nov 2009 11:15:32 -0600 


Title: Access.conf issue 
Is your user a part of the groupname or groupname2 group?    And, is
"UsePAM yes" and set in your sshd_config?   Although, I am not sure that
the pam_member_attribute uniquemember is going to work in this
situation.  Pam is looking to evaluate that the user is a member of the
group that you specify for "pam_groupdn" in ldap.conf.    Based on what
you are saying, you are simply using pam_access to control ssh access to
the server.  But instead of the pam_access line being in system_auth, I
have it in /etc/pam.d/sshd, which it looks like yours is also based on
the error messages.      Robert

The information contained in this communication is confidential, is
intended only for the use of the recipient named above, and may be legally

If the reader of this message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.

If you have received this communication in error, please resend this
communication to the sender and delete the original message or any copy
of it from your computer system.

Thank You.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20091119/aeca5b96/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2865 bytes
Desc: image001.gif
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20091119/aeca5b96/attachment.gif>

More information about the Fedora-directory-users mailing list