On Wed, 2007-01-03 at 17:03 -0700, Brian Kosick wrote: > Hi All, > > I've been using FDS for quite a while now, and I'd just like to say I > love it great job! I'm posting this question because I've been banging > my head for awhile about it. > > I'm using FDS as the central Auth server in a pretty much all RH/FC > environment, and currently use pam_check_host_attr to control which > users are allowed to login to which servers. All was working great > until I upgraded our internal WWW server from RHEL3 to FC6. The WWW > server is/was using mod_authz_ldap apache module to control what groups > were allowed to login to certain sections of the website, after the > upgrade to FC6, group restrictions stopped working. Basically, apache > +mod_authz_ldap started denying users that didn't have the WWW server in > the hosts attribute. > > My goal is to allow/dis-allow SSH/telnet etc etc using > pam_check_host_attr, but still allow them to login to the http areas of > the server using ldap groups. > > Here's my authz_ldap conf > > <Directory /var/TEMP/> > AuthType Basic > AuthName "Temporary Folder to Disseminate files" > > AuthzLDAPAuthoritative On > AuthzLDAPMethod ldap > AuthzLDAPProtocolversion 3 > #AuthzLDAPLogLevel debug > AuthzLDAPServer server.domain.com > > AuthzLDAPUserBase ou=People,dc=corp,dc=domain,dc=com > AuthzLDAPUserKey uid > > AuthzLDAPGroupBase ou=Groups,dc=corp,dc=domain,dc=com > AuthzLDAPGroupkey cn > AuthzLDAPMemberKey uniquemember > AuthzLDAPSetGroupAuth ldapdn > > Require group qausers dev ops psg threat se > > </Directory> > > Like I said this used to work the way I wanted with RHEL3 and an older > version of mod_authz_ldap, can anyone point the way for me? Now with > FC6 and the authz_ldap that comes with it, I get the error in the > httpd_error.log: > > [error] [client 10.30.0.200] PAM: user 'test' - invalid account: > Permission denied > > Now, it only works when I add the FQDN for the WWW server to the users > hosts attribute. But then the user can SSH to the server also (which I > don't want). > > > Also asking a second question, can you use hostobject or account with > groups in order to restrict logins using pam_check_host_attr? > > > I thank you in advance for any pointers, suggestions, or kicks to the > head that will help me resolve my problem. > Dang I smoke some good crack. I figured it out. I had accidentally? installed the mod_auth_pam rpm, I rpm -e 'd it, and restarted httpd, and it works like I want it to. It looks like the mod_auth_pam rpm forces the ldap queries to go through system pam which was enforcing my pam_check_host_attr setting. However I would still like to know if I can use hostObject and hosts with a Group and whether or not that will satisfy the pam_check_host_attr requirement. Thanks, -- Brian Kosick bkosick at mxlogic.com 720-895-5449
