On 07/21/2010 08:53 AM, Gordon Messmer wrote: > There are a number of pam_... options available in /etc/ldap.conf, but > I'm not sure if those are used when doing ssh logins with keys. That's > probably worth checking out if you use nss_ldap. There are probably > similar options for nss_sss, but I haven't looked at that yet either. :) I played around with some options after setting the following in /etc/ldap.conf: pam_filter !(nsRoleDN=cn=nsmanageddisabledrole,dc=...) The syntax is correct, and it works for password authentication (such as "su"). However, even after setting all of the ldap modules in PAM to "required", I'm still able to log in with a key. The documentation for PAM in the sshd configuration file leads me to believe that this cannot be made to work. If you allow key based logins, you cannot lock accounts out using PAM+LDAP. That means that if you want to lock out a user, you must completely invalidate their account. The big drawback would be that a user who mistypes their password too many times will probably stop receiving email (assuming you've tied your email system to LDAP). I believe you can do that in /etc/ldap.conf: nss_base_passwd ou=People..?sub?!(nsRoleDN=...) >> I still don't understand pam as well as I should but it would make >> sense to me for PAM to "check" LDAP before checking ssh... Remember that OpenSSH is maintained by the OpenBSD developers, where there is no PAM. PAM support is added by the Portable OpenSSH group. Support for PAM is probably imperfect.
