ldap.conf: 'pam_groupdn' being completely ignored?
Bevan C. Bennett
bevan at fulcrummicro.com
Tue Jan 6 19:51:54 UTC 2004
Brian Jones wrote:
> Hi,
>
> Just looking for confirmation: Anyone using fedora core 1 with
> 'pam_groupdn' enabled in the ldap.conf file? I've used this before on RH
> 9 without a problem, but now I'm not even seeing any searches going to
> my LDAP server at all with regard to the value in pam_groupdn. It's as
> if the value is being completely ignored. No errors either.
No help with pam_groupdn, but if what you're trying to accomplish is,
for example, to only allow administrative ssh access to a server, you
might want to try something like the following instead:
Add the following line into /etc/pam.d/sshd
account required pam_access.so
(also into telnetd and any other services you want to restrict)
Add the following list to /etc/security/access.conf
-:ALL EXCEPT wheel itgroup:ALL
Where 'itgroup' is a POSIX group containing your allowed users, possibly
stored in LDAP.
I dimly recall playing with pam_groupdn for awhile then abandoning those
efforts in favor of this approach.
More information about the fedora-list
mailing list