Again, try listing them all on one line. SSH is probably only looking at one of them. From man sshd_config: *AllowGroups* This keyword can be followed by a list of group name patterns, separated by spaces. On 11/17/2010 12:08 PM, Allan Hougham wrote: > Hi Patrick, > > This is my sshd_conf, and my groups: > > AllowGroups root ref > AllowGroups Bids ref > AllowGroups Search ref > > > Thanks in advance > > > > > # $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ > # This is the sshd server system-wide configuration file. See > # sshd_config(5) for more information. > # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin > # The strategy used for options in the default sshd_config shipped with > # OpenSSH is to specify options with their default value where > # possible, but leave them commented. Uncommented options change a > # default value. > Port 22 > #Protocol 2,1 > Protocol 2 > #AddressFamily any > #ListenAddress 0.0.0.0 > #ListenAddress :: > # HostKey for protocol version 1 > #HostKey /etc/ssh/ssh_host_key > # HostKeys for protocol version 2 > #HostKey /etc/ssh/ssh_host_rsa_key > #HostKey /etc/ssh/ssh_host_dsa_key > # Lifetime and size of ephemeral version 1 server key > #KeyRegenerationInterval 1h > #ServerKeyBits 768 > # Logging > # obsoletes QuietMode and FascistLogging > #SyslogFacility AUTH > SyslogFacility AUTHPRIV > #LogLevel INFO > LogLevel DEBUG > # Authentication: > #LoginGraceTime 2m > LoginGraceTime 1m > PermitRootLogin yes > #PermitRootLogin no > #StrictModes yes > #MaxAuthTries 6 > MaxAuthTries 6 > > AllowGroups root ref > AllowGroups Bids ref > AllowGroups Search ref > > RSAAuthentication yes > PubkeyAuthentication yes > AuthorizedKeysFile .ssh/authorized_keys > # For this to work you will also need host keys in > /etc/ssh/ssh_known_hosts > #RhostsRSAAuthentication no > # similar for protocol version 2 > #HostbasedAuthentication no > # Change to yes if you don't trust ~/.ssh/known_hosts for > # RhostsRSAAuthentication and HostbasedAuthentication > #IgnoreUserKnownHosts no > # Don't read the user's ~/.rhosts and ~/.shosts files > #IgnoreRhosts yes > # To disable tunneled clear text passwords, change to no here! > #PasswordAuthentication yes > PermitEmptyPasswords no > PasswordAuthentication yes > # Change to no to disable s/key passwords > #ChallengeResponseAuthentication yes > ChallengeResponseAuthentication no > # Kerberos options > #KerberosAuthentication no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > #KerberosGetAFSToken no > # GSSAPI options > #GSSAPIAuthentication no > #GSSAPIAuthentication yes > #GSSAPICleanupCredentials yes > # Set this to 'yes' to enable PAM authentication, account processing, > # and session processing. If this is enabled, PAM authentication will > # be allowed through the ChallengeResponseAuthentication mechanism. > # Depending on your PAM configuration, this may bypass the setting of > # PasswordAuthentication, PermitEmptyPasswords, and > # "PermitRootLogin without-password". If you just want the PAM account and > # session checks to run without PAM authentication, then enable this > but set > # ChallengeResponseAuthentication=no > #UsePAM no > UsePAM yes > # Accept locale-related environment variables > #AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY > LC_MESSAGES > #AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT > #AcceptEnv LC_IDENTIFICATION LC_ALL > #AllowTcpForwarding yes > AllowTcpForwarding yes > #GatewayPorts no > #X11Forwarding no > X11Forwarding no > #X11DisplayOffset 10 > #X11UseLocalhost yes > #PrintMotd yes > #PrintLastLog yes > #TCPKeepAlive yes > #UseLogin no > #UsePrivilegeSeparation yes > #PermitUserEnvironment no > #Compression delayed > #ClientAliveInterval 0 > #ClientAliveCountMax 3 > #ShowPatchLevel no > #UseDNS yes > #PidFile /var/run/sshd.pid > #MaxStartups 10 > #PermitTunnel no > # no default banner path > #Banner /some/path > # override default of no subsystems > Subsystem sftp /usr/libexec/openssh/sftp-server > > > > ------------------------------------------------------------------------ > Date: Tue, 16 Nov 2010 10:15:22 -0800 > From: patrick.morris at hp.com > To: 389-users at lists.fedoraproject.org > Subject: Re: SSH AllowGroups and LDAP authentication > > On 11/15/2010 10:00 AM, Allan Hougham wrote: > > Hi, > > I need autenticate LDAPs Groups, but I can?t > Anybody can working with this feature? or mapping users with > groups and later configuring the LDAP Client? > What are the steps for setting LDAP Clients with LDAP Groups? > > > Did you see my last reply on this? I'm pretty sure you'd specified > AllowGroups incorrectly in your SSH configuration. > > Assuming you have your groups set up correctly and SSH is using PAM, > there is no difference between configuring SSH to use LDAP groups and > configuring it to use local ones. > > -- 389 users mailing list 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20101117/c1720c53/attachment.html
