RE: [389-users] Access.conf issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: RE: [389-users] Access.conf issue

The user is a part of both groupname and groupname2. I am in testing with different combinations.

UsePAM yes is set in /etc/ssh/sshd_config

Reason for using pam_member_attribute uniquemember is because 389-ds groups uses that attribute for group members.(see schema below) So to tell the ldap.conf to look at that attribute to verify members.  CORRECT ME IF I AM WRONG

This is the schema of my groups
dn: cn=GroupName,ou=Groups, dc=domain, dc=com
 gidNumber: 1010
 objectClass: top
 objectClass: groupOfUniqueNames
 objectClass: posixGroup
uniqueMember: uid=username1,ou=People,dc=domain,dc=com
 uniqueMember: uid=username2,ou=People,dc=domain,dc=com
 cn: GroupName

True, I tried to put the account required pam_access.so to the pam.d/sshd, but since it already includes the system-auth(which already has pam_access). Hence I didn;t add manually to sshd.

/etc/pam.d/sshd
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
account    required     pam_access.so
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

What I am trying to accomplish?
I am trying to restrict  the ssh access to all our servers based on the groupmembership of posixgroups(groupname1 & 2). So say if a user does not belong to that project he/she should not be able to ssh to that box.

Extra info which might or not be related: I am using Primary Group for all users as their uidNumber. I think it is called “User Private Groups” where each user’s uidNumber and gidNumber are same. This is to facilitate the file/folders ownership in their home folder by using umask 022.

Stpierre from #389 IRC channel suggested that the syntax for posixGroups in access.conf is not @groupname. But to change it something like below.

- : ALL EXCEPT root groupname groupname2 : ALL


Thanks for you help.

-Prashanth

Title: Access.conf issue
Is your user a part of the groupname or groupname2 group?    And, is “UsePAM yes” and set in your sshd_config?   Although, I am not sure that the pam_member_attribute uniquemember is going to work in this situation.  Pam is looking to evaluate that the user is a member of the group that you specify for “pam_groupdn” in ldap.conf.    Based on what you are saying, you are simply using pam_access to control ssh access to the server.  But instead of the pam_access line being in system_auth, I have it in /etc/pam.d/sshd, which it looks like yours is also based on the error messages.      Robert
 
--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux