The user is a part of both groupname and groupname2. I am in testing with different combinations. UsePAM yes is set in /etc/ssh/sshd_config Reason for using pam_member_attribute uniquemember is because 389-ds groups uses that attribute for group members.(see schema below) So to tell the ldap.conf to look at that attribute to verify members. CORRECT ME IF I AM WRONG This is the schema of my groups dn: cn=GroupName,ou=Groups, dc=domain, dc=com gidNumber: 1010 objectClass: top objectClass: groupOfUniqueNames objectClass: posixGroup uniqueMember: uid=username1,ou=People,dc=domain,dc=com uniqueMember: uid=username2,ou=People,dc=domain,dc=com cn: GroupName True, I tried to put the account required pam_access.so to the pam.d/sshd, but since it already includes the system-auth(which already has pam_access). Hence I didn;t add manually to sshd. /etc/pam.d/sshd auth include system-auth account required pam_nologin.so account include system-auth account required pam_access.so password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so What I am trying to accomplish? I am trying to restrict the ssh access to all our servers based on the groupmembership of posixgroups(groupname1 & 2). So say if a user does not belong to that project he/she should not be able to ssh to that box. Extra info which might or not be related: I am using Primary Group for all users as their uidNumber. I think it is called ?User Private Groups? where each user?s uidNumber and gidNumber are same. This is to facilitate the file/folders ownership in their home folder by using umask 022. Stpierre from #389 IRC channel suggested that the syntax for posixGroups in access.conf is not @groupname. But to change it something like below. - : ALL EXCEPT root groupname groupname2 : ALL Thanks for you help. -Prashanth * From: "Tidwell Robert - rtidwe" <Robert Tidwell acxiom com> * To: <fedora-directory-users redhat com> * Subject: RE: [389-users] Access.conf issue * Date: Wed, 18 Nov 2009 11:15:32 -0600 Title: Access.conf issue Is your user a part of the groupname or groupname2 group? ? ?And, is ?UsePAM yes? and set in your sshd_config? ? Although, I am not sure that the pam_member_attribute uniquemember is going to work in this situation.? Pam is looking to evaluate that the user is a member of the group that you specify for ?pam_groupdn? in ldap.conf. ? ?Based on what you are saying, you are simply using pam_access to control ssh access to the server.? But instead of the pam_access line being in system_auth, I have it in /etc/pam.d/sshd, which it looks like yours is also based on the error messages. ? ? Robert -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20091119/1cf3817f/attachment.html
