Hi
--
The users are authenticating using their passwords, pam_ldap is being called in /etc/pam.d/system-auth. Please see
cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
Openssh version is latest stable for CentOS 5.x which is openssh-4.3p2-72.el5_7.5
As said ldap authentication using 389 dir server works fine, I just want to limit access to certain hosts per user.
Thanks
On Mon, Mar 5, 2012 at 8:03 PM, Iain Morgan <Iain.Morgan@xxxxxxxx> wrote:
Hello,On Mon, Mar 05, 2012 at 08:09:04 -0600, Ali Jawad wrote:
> Hi
> I did install 389 and LDAP authentication, what i need to do now is allow
> access to users only to certain systems, I did checkout :
> http://directory.fedoraproject.org/wiki/Howto:Posix#How_to_set_up_host_based_access_control
> I tried the old method because I could not figure out the new method, I
> did enable pam_check_host_attr "did not change any pam settings though"
> and I have use_pam enabled in sshd_config, but the user was still able to
> logon through SSH even though no hosts were listed in his attributes.
> Please advice.
> Regards
What version of OpenSSH are you using and how did the user authenticate?
For example, did the user use publickey authentication instead of
password or challenge-response? Are you calling pam_ldap in the account
portion of your PAM stack? What do you see in the LDAP server's access
log when the user authenticates?
--
Iain Morgan
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
Ali Jawad
Information Systems Manager
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
