Pam_member_attribute is specific to pam_ldap and, according to the man page for pam_ldap, is only evaluated if the pam_groupdn option is specified. As far as "LDAP" posixgroups in /etc/security/access.conf, I can assure you that the way StPierre described below will work. I am using that same type of setup on top of the pam_groupdn in /etc/ldap.conf. Good luck. Robert M. Tidwell | System Engineer/Architect/Administrator Acxiom Distributed Systems Central Arkansas 00-1-501-342-4127 office | 00-1-501-908-2790 cell | 00-1-501-342-3932 fax 301East Dave Ward Drive | Conway, AR 72032 | USA | www.acxiom.com <http://www.acxiom.com> From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Prashanth Sundaram Sent: Thursday, November 19, 2009 11:29 AM To: fedora-directory-users at redhat.com Cc: Rober.Tidwell at acxiom.com Subject: RE: [389-users] Access.conf issue The user is a part of both groupname and groupname2. I am in testing with different combinations. UsePAM yes is set in /etc/ssh/sshd_config Reason for using pam_member_attribute uniquemember is because 389-ds groups uses that attribute for group members.(see schema below) So to tell the ldap.conf to look at that attribute to verify members. CORRECT ME IF I AM WRONG This is the schema of my groups dn: cn=GroupName,ou=Groups, dc=domain, dc=com gidNumber: 1010 objectClass: top objectClass: groupOfUniqueNames objectClass: posixGroup uniqueMember: uid=username1,ou=People,dc=domain,dc=com uniqueMember: uid=username2,ou=People,dc=domain,dc=com cn: GroupName True, I tried to put the account required pam_access.so to the pam.d/sshd, but since it already includes the system-auth(which already has pam_access). Hence I didn;t add manually to sshd. /etc/pam.d/sshd auth include system-auth account required pam_nologin.so account include system-auth account required pam_access.so password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so What I am trying to accomplish? I am trying to restrict the ssh access to all our servers based on the groupmembership of posixgroups(groupname1 & 2). So say if a user does not belong to that project he/she should not be able to ssh to that box. Extra info which might or not be related: I am using Primary Group for all users as their uidNumber. I think it is called "User Private Groups" where each user's uidNumber and gidNumber are same. This is to facilitate the file/folders ownership in their home folder by using umask 022. Stpierre from #389 IRC channel suggested that the syntax for posixGroups in access.conf is not @groupname. But to change it something like below. - : ALL EXCEPT root groupname groupname2 : ALL Thanks for you help. -Prashanth * From: "Tidwell Robert - rtidwe" <Robert Tidwell acxiom com> * To: <fedora-directory-users redhat com> * Subject: RE: [389-users] Access.conf issue * Date: Wed, 18 Nov 2009 11:15:32 -0600 ________________________________ Title: Access.conf issue Is your user a part of the groupname or groupname2 group? And, is "UsePAM yes" and set in your sshd_config? Although, I am not sure that the pam_member_attribute uniquemember is going to work in this situation. Pam is looking to evaluate that the user is a member of the group that you specify for "pam_groupdn" in ldap.conf. Based on what you are saying, you are simply using pam_access to control ssh access to the server. But instead of the pam_access line being in system_auth, I have it in /etc/pam.d/sshd, which it looks like yours is also based on the error messages. Robert *************************************************************************** The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank You. **************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20091119/aeca5b96/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 2865 bytes Desc: image001.gif Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20091119/aeca5b96/attachment.gif
