Nested group and ssh login against 389-dir

thomas <torrmkr@xxxxxxxxx> · Mon, 12 Nov 2012 23:23:43 +0100

Hello,

I have an issue when I try to authenticate my openssh against 389-dir
when using nested groups.

If I add an user to one group only there aren't issues, but if I use
nested groups it doesn't work !

This is the log I copied from 389-dir server :

[12/Nov/2012:23:05:03 +0100] conn=147 fd=81 slot=81 SSL connection
from 192.168.xxx.117 to 192.168.xxx.216
[12/Nov/2012:23:05:03 +0100] conn=147 SSL 256-bit AES
[12/Nov/2012:23:05:03 +0100] conn=147 op=0 BIND
dn="uid=binduser,cn=config" method=128 version=3
[12/Nov/2012:23:05:03 +0100] conn=147 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="uid=binduser,cn=config"
[12/Nov/2012:23:05:03 +0100] conn=147 op=1 SRCH
base="dc=xxxx,dc=local" scope=2 filter="(uid=demo)" attrs=ALL
[12/Nov/2012:23:05:03 +0100] conn=147 op=1 RESULT err=0 tag=101
nentries=1 etime=0
[12/Nov/2012:23:05:03 +0100] conn=147 op=2 BIND
dn="uid=demo,ou=IT_Operation,ou=Company,dc=xxxx,dc=local" method=128
version=3
[12/Nov/2012:23:05:03 +0100] conn=147 op=2 RESULT err=0 tag=97
nentries=0 etime=0
dn="uid=demo,ou=it_operation,ou=company,dc=xxxx,dc=local"
[12/Nov/2012:23:05:03 +0100] conn=147 op=3 BIND
dn="uid=binduser,cn=config" method=128 version=3
[12/Nov/2012:23:05:03 +0100] conn=147 op=3 RESULT err=0 tag=97
nentries=0 etime=0 dn="uid=binduser,cn=config"
[12/Nov/2012:23:05:03 +0100] conn=147 op=4 CMP
dn="cn=lin17_access,ou=production,ou=hosts,dc=xxxx,dc=local"
attr="uniquemember"
[12/Nov/2012:23:05:03 +0100] conn=147 op=4 RESULT err=16 tag=111
nentries=0 etime=0
[12/Nov/2012:23:05:05 +0100] conn=147 op=5 UNBIND

This is my /etc/ldap.conf :

host 389-svr01.xxxx.local 389-svr02.xxxx.local
port 636
base dc=xxxx,dc=local
pam_password md5
ssl yes
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer no
bind_policy soft
bind_timelimit 15
timelimit 15
pam_groupdn cn=lin17_access,ou=production,ou=hosts,dc=xxxx,dc=local
ldap_version 3
binddn uid=binduser,cn=config
bindpw yyyy

Can you help me please ?

My desire is to create groups where only some people can log on certain servers.

Regards .
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users