All,

I have setup the ldapserver with PAM PassThrough and need help in figuring out the access.conf without use of netgroups. Can I simply use the groups with access.conf?

I am only able to ssh as root, but not with any ldap account. I was able to ssh before making changes for the pam_access.

Here are the files I edited.

/etc/ldap.conf
pam_member_attribute uniquemember  (since 389-ds uses uniquemember for group membership)
uri ldap://ldap.domain.com:389/
tls_checkpeer yes
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5
tls_cacertfile /etc/pki/tls/certs/ca-cert.crt

/etc/security/access.conf
+ : root : ALL
+ : @groupname : ALL
+ : @groupname2 : ALL
- : ALL : ALL

authconfig  --enableldap --enableldapauth --disablenis --enablecache --ldapserver=ldap.domain.com --ldapbasedn=dc=ldapdomain,dc=com --enableldaptls --disablekrb5 --krb5kdc=AD.ADdomain.com --krb5adminserver=AD.ADdomain.com --krb5realm=ADDOMAIN.COM --enablekrb5kdcdns --enablekrb5realmdns --enablepamaccess --enablemkhomedir --enablelocauthorize —updateall

/etc/pam.d/system-auth
:
account     required   pam_access.so accessfile=/etc/security/access.conf
:

Here’s the error message I got. I see that krb5 is succeeding my password but pam_access is blocking me.
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.12.0.95  user=psundaram
Nov 18 11:01:44 wgldap01 sshd[8995]: pam_krb5[8995]: authentication succeeds for 'psundaram' (psundaram@ADDOMAIN.COM)
Nov 18 11:01:45 wgldap01 sshd[8995]: pam_access(sshd:account): access denied for user `psundaram' from `10.12.0.95'
Nov 18 11:01:45 wgldap01 sshd[8995]: pam_access(sshd:account): access denied for user `psundaram' from `10.12.0.95'
Nov 18 11:01:45 wgldap01 sshd[8996]: fatal: Access denied for user psundaram by PAM account configuration


Thanks,
Prashanth