RE: [389-users] Access.conf issue
by Prashanth Sundaram
Thanks Robert. That seems to work well.
But here is my scenario I have a bunch of Groups and not sure if I can specify multiple groupdn's in ldap.conf.
Group1= Developers on Project1 need access to only proj1 servers
Group2= QA on Project1 need access to proj1 servers only
Group3= sysadmins accesss to all servers
Available methods for access control:
1. Host attribute based ACL- Adding an extra attribute for each user and maintaining a list of 40-50 servers per user.
Major Disadvantage: Manual entry for each user account or atleast scripting based on group membership which makes it too complex.
2. Use NisNetGroups: Maintain separate set of netgroups for proj1-servers, proj1-Developers, proj1-QA, Groupfor-ALLservers, GroupforSysadmin.
Major Disadvantage: we add/remove hosts a lot and to maintain a huge list of nisNetgroups for hosts as well as users seems cumbersome or atleast doubling the DB. Also lack of tools.
Can you suggest suitable scenario and any tools I can use to minimize the effort?
Thanks once again.
Prashanth
14 years, 5 months
RE: [389-users] Access.conf issue
by Prashanth Sundaram
The user is a part of both groupname and groupname2. I am in testing with
different combinations.
UsePAM yes is set in /etc/ssh/sshd_config
Reason for using pam_member_attribute uniquemember is because 389-ds groups
uses that attribute for group members.(see schema below) So to tell the
ldap.conf to look at that attribute to verify members. CORRECT ME IF I AM
WRONG
This is the schema of my groups
dn: cn=GroupName,ou=Groups, dc=domain, dc=com
gidNumber: 1010
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixGroup
uniqueMember: uid=username1,ou=People,dc=domain,dc=com
uniqueMember: uid=username2,ou=People,dc=domain,dc=com
cn: GroupName
True, I tried to put the account required pam_access.so to the pam.d/sshd,
but since it already includes the system-auth(which already has pam_access).
Hence I didn;t add manually to sshd.
/etc/pam.d/sshd
auth include system-auth
account required pam_nologin.so
account include system-auth
account required pam_access.so
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
What I am trying to accomplish?
I am trying to restrict the ssh access to all our servers based on the
groupmembership of posixgroups(groupname1 & 2). So say if a user does not
belong to that project he/she should not be able to ssh to that box.
Extra info which might or not be related: I am using Primary Group for all
users as their uidNumber. I think it is called ³User Private Groups² where
each user¹s uidNumber and gidNumber are same. This is to facilitate the
file/folders ownership in their home folder by using umask 022.
Stpierre from #389 IRC channel suggested that the syntax for posixGroups in
access.conf is not @groupname. But to change it something like below.
- : ALL EXCEPT root groupname groupname2 : ALL
Thanks for you help.
-Prashanth
* From: "Tidwell Robert - rtidwe" <Robert Tidwell acxiom com>
* To: <fedora-directory-users redhat com>
* Subject: RE: [389-users] Access.conf issue
* Date: Wed, 18 Nov 2009 11:15:32 -0600
Title: Access.conf issue
Is your user a part of the groupname or groupname2 group? And, is ³UsePAM
yes² and set in your sshd_config? Although, I am not sure that the
pam_member_attribute uniquemember is going to work in this situation. Pam
is looking to evaluate that the user is a member of the group that you
specify for ³pam_groupdn² in ldap.conf. Based on what you are saying, you
are simply using pam_access to control ssh access to the server. But
instead of the pam_access line being in system_auth, I have it in
/etc/pam.d/sshd, which it looks like yours is also based on the error
messages. Robert
14 years, 5 months
Replication and Class of Service
by James Roman
I have two 389 1.2.2 servers in a Multi-master replication
configuration. I've added a few Classic Class of Service entries on the
memberof attribute to one of the servers. The CoS and template entries
seem to have replicated to the other server, however, when I perform a
lookup on the entires in the replicated server, the CoS attributes are
not processed. Is there something I am missing to get the CoS operation
to replicate?
14 years, 5 months
Re: [389-users] Access.conf issue
by Prashanth Sundaram
I did follow the HowTo: Netgroups and was able to get that working. But my
question is whether I can just use ldap groups with access.conf?
If I have to use netgroups, do you have a mechanism to add the host/user
entries to nisNetgroupTriple in a semi-automated way other than just do
ldapmodify f <filename>?
14 years, 5 months
Unindexed ?
by Emmanuel BILLOT
Hi,
I used the logconv.pl utility to check our config, and it found a lot of
unindexed search.
In the access log file i found lines ::
[18/Nov/2009:15:27:28 +0100] conn=1565 op=10246 RESULT err=0 tag=101
nentries=132 etime=1 notes=U
[18/Nov/2009:15:27:28 +0100] conn=1565 op=10247 SRCH
base="dc=ouaga,dc=ird,dc=fr" scope=2 filter="(&(objectClass=*))"
attrs="* aci"
Does the "notes=U" means it is an unindex search ? I must index a
attribut but which one ?
BR,
--
==========================================
Emmanuel BILLOT
IRD - Orléans
Délégation aux Systèmes d'Information (DSI)
tél : 02 38 49 95 88
==========================================
14 years, 5 months
Access.conf issue
by Prashanth Sundaram
All,
I have setup the ldapserver with PAM PassThrough and need help in figuring
out the access.conf without use of netgroups. Can I simply use the groups
with access.conf?
I am only able to ssh as root, but not with any ldap account. I was able to
ssh before making changes for the pam_access.
Here are the files I edited.
/etc/ldap.conf
pam_member_attribute uniquemember (since 389-ds uses uniquemember for group
membership)
uri ldap://ldap.domain.com:389/
tls_checkpeer yes
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5
tls_cacertfile /etc/pki/tls/certs/ca-cert.crt
/etc/security/access.conf
+ : root : ALL
+ : @groupname : ALL
+ : @groupname2 : ALL
- : ALL : ALL
authconfig --enableldap --enableldapauth --disablenis --enablecache
--ldapserver=ldap.domain.com --ldapbasedn=dc=ldapdomain,dc=com
--enableldaptls --disablekrb5 --krb5kdc=AD.ADdomain.com
--krb5adminserver=AD.ADdomain.com --krb5realm=ADDOMAIN.COM
--enablekrb5kdcdns --enablekrb5realmdns --enablepamaccess --enablemkhomedir
--enablelocauthorize updateall
/etc/pam.d/system-auth
:
account required pam_access.so accessfile=/etc/security/access.conf
:
Here¹s the error message I got. I see that krb5 is succeeding my password
but pam_access is blocking me.
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=10.12.0.95 user=psundaram
Nov 18 11:01:44 wgldap01 sshd[8995]: pam_krb5[8995]: authentication succeeds
for 'psundaram' (psundaram(a)ADDOMAIN.COM)
Nov 18 11:01:45 wgldap01 sshd[8995]: pam_access(sshd:account): access denied
for user `psundaram' from `10.12.0.95'
Nov 18 11:01:45 wgldap01 sshd[8995]: pam_access(sshd:account): access denied
for user `psundaram' from `10.12.0.95'
Nov 18 11:01:45 wgldap01 sshd[8996]: fatal: Access denied for user psundaram
by PAM account configuration
Thanks,
Prashanth
14 years, 5 months
Replication and High Availalbiltiy
by Bucl, Casper
Hi,
I'm trying to create a high availability ldap for a system I have in place that is currently using multimaster replication. Using a shared storage system isn't an option in this case.
To give you an idea of what our setup looks like,
There are two nodes, that have replication set up. These are set up as multimasters and have processes that write to both of them. These changes replicate to the other ldap server.
Now I need them to be in a high availability configuration.
I have created duplicates of each node and gotten the high availability portion on each of them to work correctly.
The problem comes with fedora and replication.
I have tried multiple ways of setting up fedora and replication and they always seem to end up with changes not being replicated to the other master when we have failed over to the secondary node. The two most successful one's are below
Configurations.
Full Mesh: All links were set up as a two way replication.
This always ends up with at least 2 nodes showing errors saying it "Can't locate CSN" or "Duplicate node ID"
Node1A ------- Node1B
| \ / |
| X |
| / \ |
Node2A ------- Node2B
Single replication agreement between VIPs
In this configuration, we initially copied over the slapd instance directory on setup of the second HA node (Node1A to Node1B) so that the settings and configurations are identical on both. Then as changes were made to the ldap, we created backups using db2bak. These backups are copied over to the failover box and then imported on startup of fedora ds. This doesn't appear to backup the changelog and ends up with an error saying "Can't locate CSN" again.
Node1 VIP
|
|
Node2 VIP
I have tried other things as well and they were a lot less fruitful than the two examples I have here.
Has anyone set up a high availability scenario similar to this? Can anyone suggest a different process or configuration that would accomplish what I'm after?
Thanks,
Casper
14 years, 5 months
Case sensitive ?
by Emmanuel BILLOT
Hi,
Some of our datas are using a "objectClass" attribute. Is there any
difference in indexing data when index is defined with "objectclass" ?
Index is it case sensitive in attribut definition ?
BR,
--
==========================================
Emmanuel BILLOT
IRD - Orléans
Délégation aux Systèmes d'Information (DSI)
tél : 02 38 49 95 88
==========================================
14 years, 5 months
