auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so config=/usr/local/etc/openldap/ldap-ssh.conf debug try_first_pass
auth required pam_unix.so no_warn try_first_pass
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so debug
account required pam_unix.so
session required pam_permit.so
password sufficient /usr/local/lib/pam_ldap.so debug
password required pam_unix.so no_warn try_first_pass
bash-2.05b# cat /usr/local/etc/openldap/ldap-ssh.conf host 127.0.0.1 base dc=example,dc=com rootbinddn cn=proxyuser,dc=example,dc=com scope one #pam_filter objectclass=posixaccount #pam_login_attribute uid pam_groupdn cn=ssh,ou=groups,dc=example,dc=com pam_member_attribute memberuid pam_password SSHA nss_base_passwd ou=users,dc=example,dc=com?one nss_base_shadow ou=users,dc=example,dc=com?one nss_base_group ou=groups,dc=example,dc=com?one
So I'm trying to permit users who are only members of the group "ssh". As per this ldap entry below, this one user should only be permitted to ssh in:
dn: cn=ssh,ou=groups,dc=example,dc=com objectClass: posixGroup objectClass: top cn: ssh gidNumber: 10009 memberUid: testuser.discord.ca
This isn't working. Anyone can ssh in so I'm not sure what I'm doing wrong.
I have an nss_ldap.conf which the pam queries also, but will a config explicitly configured as I have done above override the the nss_ldap.conf?
Any ideas?
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
