Pam_member_attribute is specific to pam_ldap and, according to the man page for pam_ldap, is only evaluated if the pam_groupdn option is specified.

 

As far as “LDAP” posixgroups in /etc/security/access.conf, I can assure you that the way  StPierre described below will work.  I am using that same type of setup on top of the pam_groupdn in /etc/ldap.conf.

 

Good luck.

 

 

The user is a part of both groupname and groupname2. I am in testing with different combinations.

UsePAM yes is set in /etc/ssh/sshd_config

Reason for using pam_member_attribute uniquemember is because 389-ds groups uses that attribute for group members.(see schema below) So to tell the ldap.conf to look at that attribute to verify members.  CORRECT ME IF I AM WRONG

This is the schema of my groups
dn: cn=GroupName,ou=Groups, dc=domain, dc=com
 gidNumber: 1010
 objectClass: top
 objectClass: groupOfUniqueNames
 objectClass: posixGroup
uniqueMember: uid=username1,ou=People,dc=domain,dc=com
 uniqueMember: uid=username2,ou=People,dc=domain,dc=com
 cn: GroupName

True, I tried to put the account required pam_access.so to the pam.d/sshd, but since it already includes the system-auth(which already has pam_access). Hence I didn;t add manually to sshd.

/etc/pam.d/sshd
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
account    required     pam_access.so
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

What I am trying to accomplish?
I am trying to restrict  the ssh access to all our servers based on the groupmembership of posixgroups(groupname1 & 2). So say if a user does not belong to that project he/she should not be able to ssh to that box.

Extra info which might or not be related: I am using Primary Group for all users as their uidNumber. I think it is called “User Private Groups” where each user’s uidNumber and gidNumber are same. This is to facilitate the file/folders ownership in their home folder by using umask 022.

Stpierre from #389 IRC channel suggested that the syntax for posixGroups in access.conf is not @groupname. But to change it something like below.

- : ALL EXCEPT root groupname groupname2 : ALL


Thanks for you help.

-Prashanth

• From: "Tidwell Robert - rtidwe" <Robert Tidwell acxiom com>
• To: <fedora-directory-users redhat com>
• Subject: RE: [389-users] Access.conf issue
• Date: Wed, 18 Nov 2009 11:15:32 -0600

Title: Access.conf issue
Is your user a part of the groupname or groupname2 group?    And, is “UsePAM yes” and set in your sshd_config?   Although, I am not sure that the pam_member_attribute uniquemember is going to work in this situation.  Pam is looking to evaluate that the user is a member of the group that you specify for “pam_groupdn” in ldap.conf.    Based on what you are saying, you are simply using pam_access to control ssh access to the server.  But instead of the pam_access line being in system_auth, I have it in /etc/pam.d/sshd, which it looks like yours is also based on the error messages.      Robert

***************************************************************************
The information contained in this communication is confidential, is
intended only for the use of the recipient named above, and may be legally
privileged.

If the reader of this message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.

If you have received this communication in error, please resend this
communication to the sender and delete the original message or any copy
of it from your computer system.

Thank You.
****************************************************************************