getting group info from openldap

John Beck jbeck at nasaprs.com
Thu Aug 10 17:53:21 UTC 2006 

I've been told this might be a pam_ldap issue. Please let me know what 
files/output I'd need to include (If anything is lacking).

  We use openldap 2.3 on Red Hat Enterprise Linux ES release 4 (Nahant 
Update 3).

The user's primary group is stored in the gid attribute in their entry, 
but additional group memberships are configured by adding a memberUID 
with the user's username to the posixGroup entry for the group.

  When the user logs in they authenticate against OpenLdap correctly, 
but the only group information that seems to follow them to the server 
is the gid listed in their user entry. Our client servers run RH ES 3 or 4.

  I've been fighting this for quite a while now, I've been reading this 
list and the archives as well as online docs.

/etc/pam.d/login
#%PAM-1.0
auth       required     pam_securetty.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so

/etc/pam.d/passwd
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth

Our clients ldap.conf

host 172.30.3.X
# The distinguished name of the search base.
base ou=People,dc=ourname,dc=com
sudoers_base ou=People,dc=ourname,dc=com
uri ldap://172.30.3.X/
binddn cn=Manager,dc=ourname,dc=com
bindpw ourtopsecretpassword
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
# Group member attribute
#psecretam_member_attribute uniquemember
pam_password md5
ssl no

#end ldap.con

Thank you,
-John B

-- 
John D. Beck, CCNA, RSA CSA & CSIE, Sys Admin / Security Engineer
Global Science and Technology (GST)
jbeck at nasaprs.com
Phone: 202.479.9030 #427
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/pam-list/attachments/20060810/e20ea4b1/attachment.bin>

More information about the Pam-list mailing list