pam_ldap authentication based on pam_groupdn
Jason Lixfeld
jason+lists.pam at lixfeld.ca
Mon Oct 18 02:28:33 UTC 2004
I'm wondering if someone can point out my error here. I've got PAM
authenticating ssh users like so:
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn
allow_local
auth sufficient /usr/local/lib/pam_ldap.so
config=/usr/local/etc/openldap/ldap-ssh.conf debug try_first_pass
auth required pam_unix.so no_warn
try_first_pass
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so debug
account required pam_unix.so
session required pam_permit.so
password sufficient /usr/local/lib/pam_ldap.so debug
password required pam_unix.so no_warn
try_first_pass
bash-2.05b# cat /usr/local/etc/openldap/ldap-ssh.conf
host 127.0.0.1
base dc=example,dc=com
rootbinddn cn=proxyuser,dc=example,dc=com
scope one
#pam_filter objectclass=posixaccount
#pam_login_attribute uid
pam_groupdn cn=ssh,ou=groups,dc=example,dc=com
pam_member_attribute memberuid
pam_password SSHA
nss_base_passwd ou=users,dc=example,dc=com?one
nss_base_shadow ou=users,dc=example,dc=com?one
nss_base_group ou=groups,dc=example,dc=com?one
So I'm trying to permit users who are only members of the group "ssh".
As per this ldap entry below, this one user should only be permitted to
ssh in:
dn: cn=ssh,ou=groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ssh
gidNumber: 10009
memberUid: testuser.discord.ca
This isn't working. Anyone can ssh in so I'm not sure what I'm doing
wrong.
I have an nss_ldap.conf which the pam queries also, but will a config
explicitly configured as I have done above override the the
nss_ldap.conf?
Any ideas?
More information about the Pam-list
mailing list