Pam_member_attribute is specific to pam_ldap and, according to
the man page for pam_ldap, is only evaluated if the pam_groupdn option is
specified.
As far as “LDAP” posixgroups in
/etc/security/access.conf, I can assure you that the way StPierre
described below will work. I am using that same type of setup on top of
the pam_groupdn in /etc/ldap.conf.
Good luck.
Robert M. Tidwell | System Engineer/Architect/Administrator
Acxiom Distributed Systems Central Arkansas
00-1-501-342-4127 office
| 00-1-501-908-2790 cell | 00-1-501-342-3932 fax
301East Dave Ward Drive | Conway, AR 72032 | USA | www.acxiom.com
From:
fedora-directory-users-bounces@xxxxxxxxxx
[mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Prashanth
Sundaram
Sent: Thursday, November 19, 2009 11:29 AM
To: fedora-directory-users@xxxxxxxxxx
Cc: Rober.Tidwell@xxxxxxxxxx
Subject: RE: [389-users] Access.conf issue
The user is a part of both groupname and groupname2. I am in testing with
different combinations.
UsePAM yes is set in /etc/ssh/sshd_config
Reason for using pam_member_attribute uniquemember is because 389-ds groups
uses that attribute for group members.(see schema below) So to tell the
ldap.conf to look at that attribute to verify members. CORRECT ME IF I AM
WRONG
This is the schema of my groups
dn: cn=GroupName,ou=Groups, dc=domain, dc=com
gidNumber: 1010
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixGroup
uniqueMember: uid=username1,ou=People,dc=domain,dc=com
uniqueMember: uid=username2,ou=People,dc=domain,dc=com
cn: GroupName
True, I tried to put the account required pam_access.so to the
pam.d/sshd, but since it already includes the system-auth(which already
has pam_access). Hence I didn;t add manually to sshd.
/etc/pam.d/sshd
auth include
system-auth
account required
pam_nologin.so
account include system-auth
account required pam_access.so
password include system-auth
session optional pam_keyinit.so force
revoke
session include system-auth
session required pam_loginuid.so
What I am trying to accomplish?
I am trying to restrict the ssh access to all our servers based on
the groupmembership of posixgroups(groupname1 & 2). So say if a user does
not belong to that project he/she should not be able to ssh to that box.
Extra info which might or not be related: I am using Primary Group for
all users as their uidNumber. I think it is called “User Private
Groups” where each user’s uidNumber and gidNumber are same. This is
to facilitate the file/folders ownership in their home folder by using umask
022.
Stpierre from #389 IRC channel suggested that the syntax for posixGroups in
access.conf is not @groupname. But to change it something like below.
- : ALL EXCEPT root groupname groupname2 : ALL
Thanks for you help.
-Prashanth
- From: "Tidwell Robert - rtidwe"
<Robert Tidwell acxiom com>
- To: <fedora-directory-users redhat
com>
- Subject: RE: [389-users] Access.conf issue
- Date: Wed, 18 Nov 2009 11:15:32 -0600
Title:
Access.conf issue
Is your user a part of the groupname or groupname2 group? And, is
“UsePAM yes” and set in your sshd_config? Although, I am not
sure that the pam_member_attribute uniquemember is going to work in this
situation. Pam is looking to evaluate that the user is a member of the
group that you specify for “pam_groupdn” in ldap.conf.
Based on what you are saying, you are simply using pam_access to control
ssh access to the server. But instead of the pam_access line being in
system_auth, I have it in /etc/pam.d/sshd, which it looks like yours is also
based on the error messages. Robert
