Pam_member_attribute is specific to pam_ldap and, according to
the man page for pam_ldap, is only evaluated if the pam_groupdn option is
specified.
As far as “LDAP” posixgroups in
/etc/security/access.conf, I can assure you that the way StPierre
described below will work. I am using that same type of setup on top of
the pam_groupdn in /etc/ldap.conf.
Good luck.
Robert M. Tidwell | System Engineer/Architect/Administrator
Acxiom Distributed Systems Central Arkansas
00-1-501-342-4127 office
| 00-1-501-908-2790 cell | 00-1-501-342-3932 fax
301East Dave Ward Drive | Conway, AR 72032 | USA | www.acxiom.com
From:
fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Prashanth
Sundaram
Sent: Thursday, November 19, 2009 11:29 AM
To: fedora-directory-users@redhat.com
Cc: Rober.Tidwell@acxiom.com
Subject: RE: [389-users] Access.conf issue
The user is a part of both groupname and groupname2. I am in testing with
different combinations.
UsePAM yes is set in /etc/ssh/sshd_config
Reason for using pam_member_attribute uniquemember is because 389-ds groups
uses that attribute for group members.(see schema below) So to tell the
ldap.conf to look at that attribute to verify members. CORRECT ME IF I AM
WRONG
This is the schema of my groups
dn: cn=GroupName,ou=Groups, dc=domain, dc=com
gidNumber: 1010
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixGroup
uniqueMember: uid=username1,ou=People,dc=domain,dc=com
uniqueMember: uid=username2,ou=People,dc=domain,dc=com
cn: GroupName
True, I tried to put the account required pam_access.so to the
pam.d/sshd, but since it already includes the system-auth(which already
has pam_access). Hence I didn;t add manually to sshd.
/etc/pam.d/sshd
auth include
system-auth
account required
pam_nologin.so
account include system-auth
account required pam_access.so
password include system-auth
session optional pam_keyinit.so force
revoke
session include system-auth
session required pam_loginuid.so
What I am trying to accomplish?
I am trying to restrict the ssh access to all our servers based on
the groupmembership of posixgroups(groupname1 & 2). So say if a user does
not belong to that project he/she should not be able to ssh to that box.
Extra info which might or not be related: I am using Primary Group for
all users as their uidNumber. I think it is called “User Private
Groups” where each user’s uidNumber and gidNumber are same. This is
to facilitate the file/folders ownership in their home folder by using umask
022.
Stpierre from #389 IRC channel suggested that the syntax for posixGroups in
access.conf is not @groupname. But to change it something like below.
- : ALL EXCEPT root groupname groupname2 : ALL
Thanks for you help.
-Prashanth
Title:
Access.conf issue
Is your user a part of the groupname or groupname2 group? And, is
“UsePAM yes” and set in your sshd_config? Although, I am not
sure that the pam_member_attribute uniquemember is going to work in this
situation. Pam is looking to evaluate that the user is a member of the
group that you specify for “pam_groupdn” in ldap.conf.
Based on what you are saying, you are simply using pam_access to control
ssh access to the server. But instead of the pam_access line being in
system_auth, I have it in /etc/pam.d/sshd, which it looks like yours is also
based on the error messages. Robert
*************************************************************************** The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank You. ****************************************************************************