Ok so now my configuration looks like this # Server1, Groups, pol.mediaimage.ro dn: cn=Server1,ou=Groups,dc=pol,dc=ro objectClass: top objectClass: posixgroup cn: Server1 gidNumber: 100 memberUid: alex memberUid: vion and ldap.conf : URI ldap://lacatzel.pol.ro port=389 BASE dc=pol,dc=ro host lacatzel.pol.ro TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow scope sub bind_policy soft #pam_password exop pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro pam_check_host_attr yes nss_default_attribute_value loginShell /bin/false nss_base_passwd ou=People,dc=pol,dc=ro nss_base_shadow ou=People,dc=pol,dc=ro nss_base_group ou=People,dc=pol,dc=ro and pam system-auth : auth required pam_env.so auth [success=ignore default=1] pam_localuser.so auth [success=done new_authtok_reqd=done default=1] pam_unix.so likeauth nullok try_first_pass auth sufficient pam_ldap.so try_first_pass auth required pam_deny.so account sufficient pam_unix.so account required pam_access.so account sufficient pam_ldap.so password required pam_cracklib.so difok=2 minlen=2 dcredit=2 ocredit=2 retry=1 password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so #Creates the home directories if they do not exist session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_ldap.so but with all this all users could login to the system with no problem > On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote: > > I'm using the fedora directory server for centralized > > authentication , and i have made users with posix account and i > > put them in ou=People like this : > > [snip] > > > # Server1, Groups, pol.ro > > dn: cn=Server1,ou=Groups,dc=pol,dc=ro > > description: group for users that have access on server 1 > > objectClass: top > > objectClass: groupofuniquenames > > uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro > > uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro > > cn: Server1 > > [snip] > > > and my ldap.conf looks like this : > > > > URI ldap://lacatzel.pol.ro > > port=389 > > BASE dc=pol,dc=ro > > host lacatzel.pol.ro > > TLS_CACERTDIR /etc/openldap/cacerts > > TLS_REQCERT allow > > scope sub > > bind_policy soft > > #pam_password exop > > pam_filter objectclass=posixAccount > > pam_login_attribute uid > > pam_member_attribute memberUid > > pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro > > [snip] > > The combination of the pam_groupdn and pam_member_attribute > settings you have here instructs pam_ldap to check for the user's > DN among the values for the group object's "memberUid" attribute, > but the user's DN is stored in the "uniqueMember" attribute. Try > changing that (or removing it, because "pam_member_attribute > uniquemember" is the default). > > But if that were the only problem, I'd expect that none of your > users would be able to log in. You should probably double-check > that your PAM configuration is able to deny users entry when > pam_ldap's account management function (which is the part that > checks group membership) returns a failure. > > HTH, > > Nalin > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
