Hello all
I'm using the fedora directory server for centralized authentication , and i have made users with posix account and i put them in ou=People like this : --------------------------------------------------------------------------------------------- # alexadu, People, pol.mediaimage.ro dn: uid=alexadu,ou=People,dc=pol,dc=ro givenName: Alexandra sn: Dumitru loginShell: /bin/bash uidNumber: 1069 gidNumber: 100 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: alexadu cn: Alexandra Dumitru homeDirectory: /home/alexadu ------------------------------------------------------------------------------------------ and after that i made some groups in ou=Groups like this : ----------------------------------------------------------------------------------------- # Server1, Groups, pol.ro dn: cn=Server1,ou=Groups,dc=pol,dc=ro description: group for users that have access on server 1 objectClass: top objectClass: groupofuniquenames uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro cn: Server1 ----------------------------------------------------------------------------------------
and my ldap.conf looks like this :
URI ldap://lacatzel.pol.ro port=389 BASE dc=pol,dc=ro host lacatzel.pol.ro TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow scope sub bind_policy soft #pam_password exop pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro pam_check_host_attr yes nss_default_attribute_value loginShell /bin/false nss_base_passwd ou=People,dc=pol,dc=ro nss_base_shadow ou=People,dc=pol,dc=ro nss_base_group ou=People,dc=pol,dc=ro ---------------------------------------------------------------------------------------------
now i want to restrict some users to servers based on groups but my pam_ldap does not help me to do that , I'm using my old friend "www.google.com" to help me in this problem but with no luck ..... all my users have access to this computer .... so , if i understand wright all i have to do is create users with posix account and after that create groups and put the users in that group but this does not work ..... any ideas ? anyone use FDS for what i intend to do ?
Thank you for your time .....
Bogdan
On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote:
Hello all
I'm using the fedora directory server for centralized authentication , and i have made users with posix account and i put them in ou=People like this :
[snip]
now i want to restrict some users to servers based on groups but my pam_ldap does not help me to do that , I'm using my old friend "www.google.com" to help me in this problem but with no luck ..... all my users have access to this computer .... so , if i understand wright all i have to do is create users with posix account and after that create groups and put the users in that group but this does not work ..... any ideas ? anyone use FDS for what i intend to do ?
The pam_access module may help you do this depending on what you mean by "restrict".
Thank you for your time .....
Bogdan
Let's say i have users : alex , tom , john , joe and bruce and the computers comp1 , comp2 and comp3
and in my ldap i have the users on ou=People with posixaccount and three groups named after the computers like :
cn=comp1,ou=Groups .... objectClass: top objectClass: groupOfUniqueNames cn: comp1 ou: groups description: People who can login on comp1 uniqueMember: uid=alex,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=joe,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro -----------------------------------------------------------------------------------------
cn=comp2,ou=Groups .... objectClass: top objectClass: groupOfUniqueNames cn: comp3 ou: groups description: People who can login on comp2 uniqueMember: uid=alex,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=tom,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro -----------------------------------------------------------------------------------------
cn=comp3,ou=Groups .... objectClass: top objectClass: groupOfUniqueNames cn: comp3 ou: groups description: People who can login on comp3 uniqueMember: uid=john,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=joe,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro -----------------------------------------------------------------------------------------
in this schema let's say that i want to be able to "permit " login acces to the computers only to the people i have in their group
On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote:
Hello all
I'm using the fedora directory server for centralized authentication , and i have made users with posix account and i put them in ou=People like this :
[snip]
now i want to restrict some users to servers based on groups but my pam_ldap does not help me to do that , I'm using my old friend "www.google.com" to help me in this problem but with no luck ..... all my users have access to this computer .... so , if i understand wright all i have to do is create users with posix account and after that create groups and put the users in that group but this does not work ..... any ideas ? anyone use FDS for what i intend to do ?
The pam_access module may help you do this depending on what you mean by "restrict".
Thank you for your time .....
Bogdan
There are a few ways. I found the best way is to specify pam_groupdb and pam_member_attribute. This allows you to create a simple ldap object that says who can log into what system.
Edward
On Thu, May 29, 2008 at 5:40 AM, Bogdan Cehan bogdan.cehan@mediaimage.ro wrote:
Let's say i have users : alex , tom , john , joe and bruce and the computers comp1 , comp2 and comp3
and in my ldap i have the users on ou=People with posixaccount and three groups named after the computers like :
cn=comp1,ou=Groups .... objectClass: top objectClass: groupOfUniqueNames cn: comp1 ou: groups description: People who can login on comp1 uniqueMember: uid=alex,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=joe,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro
cn=comp2,ou=Groups .... objectClass: top objectClass: groupOfUniqueNames cn: comp3 ou: groups description: People who can login on comp2 uniqueMember: uid=alex,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=tom,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro
cn=comp3,ou=Groups .... objectClass: top objectClass: groupOfUniqueNames cn: comp3 ou: groups description: People who can login on comp3 uniqueMember: uid=john,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=joe,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro
in this schema let's say that i want to be able to "permit " login acces to the computers only to the people i have in their group
On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote:
Hello all
I'm using the fedora directory server for centralized authentication , and i have made users with posix account and i put them in ou=People like this :
[snip]
now i want to restrict some users to servers based on groups but my pam_ldap does not help me to do that , I'm using my old friend "www.google.com" to help me in this problem but with no luck ..... all my users have access to this computer .... so , if i understand wright all i have to do is create users with posix account and after that create groups and put the users in that group but this does not work ..... any ideas ? anyone use FDS for what i intend to do ?
The pam_access module may help you do this depending on what you mean by "restrict".
Thank you for your time .....
Bogdan
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote:
I'm using the fedora directory server for centralized authentication , and i have made users with posix account and i put them in ou=People like this :
[snip]
# Server1, Groups, pol.ro dn: cn=Server1,ou=Groups,dc=pol,dc=ro description: group for users that have access on server 1 objectClass: top objectClass: groupofuniquenames uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro cn: Server1
[snip]
and my ldap.conf looks like this :
URI ldap://lacatzel.pol.ro port=389 BASE dc=pol,dc=ro host lacatzel.pol.ro TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow scope sub bind_policy soft #pam_password exop pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro
[snip]
The combination of the pam_groupdn and pam_member_attribute settings you have here instructs pam_ldap to check for the user's DN among the values for the group object's "memberUid" attribute, but the user's DN is stored in the "uniqueMember" attribute. Try changing that (or removing it, because "pam_member_attribute uniquemember" is the default).
But if that were the only problem, I'd expect that none of your users would be able to log in. You should probably double-check that your PAM configuration is able to deny users entry when pam_ldap's account management function (which is the part that checks group membership) returns a failure.
HTH,
Nalin
Ok so now my configuration looks like this
# Server1, Groups, pol.mediaimage.ro dn: cn=Server1,ou=Groups,dc=pol,dc=ro objectClass: top objectClass: posixgroup cn: Server1 gidNumber: 100 memberUid: alex memberUid: vion
and ldap.conf :
URI ldap://lacatzel.pol.ro port=389 BASE dc=pol,dc=ro host lacatzel.pol.ro TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow scope sub bind_policy soft #pam_password exop pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro pam_check_host_attr yes nss_default_attribute_value loginShell /bin/false nss_base_passwd ou=People,dc=pol,dc=ro nss_base_shadow ou=People,dc=pol,dc=ro nss_base_group ou=People,dc=pol,dc=ro
and pam system-auth :
auth required pam_env.so auth [success=ignore default=1] pam_localuser.so auth [success=done new_authtok_reqd=done default=1] pam_unix.so likeauth nullok try_first_pass auth sufficient pam_ldap.so try_first_pass auth required pam_deny.so
account sufficient pam_unix.so account required pam_access.so account sufficient pam_ldap.so
password required pam_cracklib.so difok=2 minlen=2 dcredit=2 ocredit=2 retry=1 password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so
session required pam_limits.so session required pam_unix.so #Creates the home directories if they do not exist session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_ldap.so
but with all this all users could login to the system with no problem
On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote:
I'm using the fedora directory server for centralized authentication , and i have made users with posix account and i put them in ou=People like this :
[snip]
# Server1, Groups, pol.ro dn: cn=Server1,ou=Groups,dc=pol,dc=ro description: group for users that have access on server 1 objectClass: top objectClass: groupofuniquenames uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro cn: Server1
[snip]
and my ldap.conf looks like this :
URI ldap://lacatzel.pol.ro port=389 BASE dc=pol,dc=ro host lacatzel.pol.ro TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow scope sub bind_policy soft #pam_password exop pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro
[snip]
The combination of the pam_groupdn and pam_member_attribute settings you have here instructs pam_ldap to check for the user's DN among the values for the group object's "memberUid" attribute, but the user's DN is stored in the "uniqueMember" attribute. Try changing that (or removing it, because "pam_member_attribute uniquemember" is the default).
But if that were the only problem, I'd expect that none of your users would be able to log in. You should probably double-check that your PAM configuration is able to deny users entry when pam_ldap's account management function (which is the part that checks group membership) returns a failure.
HTH,
Nalin
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
On Fri, May 30, 2008 at 10:41:09AM +0300, Bogdan Cehan wrote:
Ok so now my configuration looks like this
# Server1, Groups, pol.mediaimage.ro dn: cn=Server1,ou=Groups,dc=pol,dc=ro objectClass: top objectClass: posixgroup cn: Server1 gidNumber: 100 memberUid: alex memberUid: vion
and ldap.conf :
[snip]
pam_member_attribute memberUid pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro
That's probably not going to work -- pam_ldap is still going to check for the DN of the user's entry in the memberUid attribute, and not the user's name.
[snip]
and pam system-auth :
[snip]
account sufficient pam_unix.so account required pam_access.so account sufficient pam_ldap.so
I suspect pam_unix is checking for an expired password (and if you're using nss_ldap, it'll be able to "see" users you've defined in the directory), determining that the user's password has not expired, and returning success.
There's also the subtle problem that if a "sufficient" module fails, it doesn't actually cause the whole PAM stack to be counted as a failure, so even if both pam_unix.so and pam_ldap.so failed, the user might still be allowed access. I'd suggest something like this instead: account required pam_unix.so account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_access.so
I haven't tried it myself, but I think that'll work.
HTH,
Nalin
389-users@lists.fedoraproject.org