Apache Auth/pam_check_host_attr?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi All,

I've been using FDS for quite a while now, and I'd just like to say I
love it great job!  I'm posting this question because I've been banging
my head for awhile about it.

I'm using FDS as the central Auth server in a pretty much all RH/FC
environment, and currently use pam_check_host_attr to control which
users are allowed to login to which servers.   All was working great
until I upgraded our internal WWW server from RHEL3 to FC6.   The WWW
server is/was using mod_authz_ldap apache module to control what groups
were allowed to login to certain sections of the website, after the
upgrade to FC6, group restrictions stopped working.  Basically, apache
+mod_authz_ldap started denying users that didn't have the WWW server in
the hosts attribute.

My goal is to allow/dis-allow SSH/telnet etc etc using
pam_check_host_attr, but still allow them to login to the http areas of
the server using ldap groups.

Here's my authz_ldap conf

<Directory /var/TEMP/>
      AuthType                  Basic
      AuthName                  "Temporary Folder to Disseminate files"

      AuthzLDAPAuthoritative    On
      AuthzLDAPMethod           ldap
      AuthzLDAPProtocolversion  3
      #AuthzLDAPLogLevel         debug
      AuthzLDAPServer           server.domain.com

      AuthzLDAPUserBase         ou=People,dc=corp,dc=domain,dc=com
      AuthzLDAPUserKey          uid

      AuthzLDAPGroupBase        ou=Groups,dc=corp,dc=domain,dc=com
      AuthzLDAPGroupkey         cn
      AuthzLDAPMemberKey        uniquemember
      AuthzLDAPSetGroupAuth     ldapdn

      Require group qausers dev ops psg threat se

   </Directory>

Like I said this used to work the way I wanted with RHEL3 and an older
version of mod_authz_ldap, can anyone point the way for me?  Now with
FC6 and the authz_ldap that comes with it, I get the error in the
httpd_error.log:

[error] [client 10.30.0.200] PAM: user 'test'  - invalid account:
Permission denied

Now, it only works when I add the FQDN for the WWW server to the users
hosts attribute.  But then the user can SSH to the server also (which I
don't want).


Also asking a second question, can you use hostobject or account with
groups in order to restrict logins using pam_check_host_attr?


I thank you in advance for any pointers, suggestions, or kicks to the
head that will help me resolve my problem.

-- 
Brian Kosick
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux