Re: ldap authorization

[Troy Knabe <knabe@xxxxxxxxxxx>]

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass 
use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

Esquivel, Vicente wrote:
> What does your pam system-auth look like for the account statements?
>
>
>
> > -----Original Message-----
> > From: redhat-list-bounces@xxxxxxxxxx 
> > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Troy Knabe
> > Sent: Wednesday, October 10, 2007 4:40 PM
> > To: General Red Hat Linux discussion list
> > Subject: Re: ldap authorization
> >
> > # Group to enforce membership of
> > pam_groupdn cn=troy_test,ou=Groups,dc=company,dc=com ## Yes, 
> > I replaced this with my basedn)
> >
> > # Group member attribute
> > pam_member_attribute uniquemember
> >
> >
> > I am the only member of the group, and uniqueMember is the attribute.
> >
> > -Troy
> >
> > Esquivel, Vicente wrote:
> > > For me I only had to make sure that the correct 
> > pam_member_attribute 
> > > was set inside the ldap.conf file.
> > >
> > > Vince
> > >
> > > > -----Original Message-----
> > > > From: redhat-list-bounces@xxxxxxxxxx 
> > > > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Troy Knabe
> > > > Sent: Wednesday, October 10, 2007 4:35 PM
> > > > To: General Red Hat Linux discussion list
> > > > Subject: RE: ldap authorization
> > > >
> > > > So I have done this and restarted nscd and even rebooted, 
> > but still 
> > > > everyone with an account can access the server.  What I am 
> > I missing?
> > > > -Troy
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: redhat-list-bounces@xxxxxxxxxx 
> > > > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of mups.cp
> > > > Sent: Wednesday, October 10, 2007 12:40 PM
> > > > To: General Red Hat Linux discussion list
> > > > Subject: Re: ldap authorization
> > > >
> > > > First create a groupOfUniqueNames objectClass in your ldap and set 
> > > > uniqueMember with the full dn for those users that should 
> > be allowed 
> > > > access.
> > > > In /etc/ldap.conf
> > > > pam_groupdn cn=unixusers,ou=Groups,dc=domain,dc=com
> > > > Where unixusers is the group with the groupOfUniqueNames 
> > objectClass 
> > > > you defined before.
> > > >
> > > >
> > > > On 10/10/07, Esquivel, Vicente <Esquivelv@xxxxxxx> wrote:
> > > > > I have much interest on how to get pam_groupdn to work
> > > > because I have
> > > > > been battling with it for a few days now with not hope in sight.
> > > > >
> > > > > Vince
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: redhat-list-bounces@xxxxxxxxxx 
> > > > > > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of mups.cp
> > > > > > Sent: Wednesday, October 10, 2007 2:30 PM
> > > > > > To: General Red Hat Linux discussion list
> > > > > > Subject: Re: ldap authorization
> > > > > >
> > > > > > You coud use the pam_groupdn option.
> > > > > >
> > > > > > On 10/10/07, Troy Knabe <knabe@xxxxxxxxxxx> wrote:
> > > > > > > I am using Kerberos for authentication and ldap for
> > > > > > authorization.  But I want to limit the ldap users who
> > > > can login to
> > > > > > the server to a specific group.
> > > > > > > Anyone have any perls of wisdom on what needs to be added
> > > > > > to the ldap.conf???
> > > > > > > Thanks
> > > > > > >
> > > > > > > -Troy
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > redhat-list mailing list
> > > > > > > unsubscribe
> > > > > > mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > > > > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > > > > --
> > > > > > redhat-list mailing list
> > > > > > unsubscribe
> > > > > > mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > > > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > > > --
> > > > > redhat-list mailing list
> > > > > unsubscribe
> > > > mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > > --
> > > > redhat-list mailing list
> > > > unsubscribe 
> > mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > >
> > > > --
> > > > redhat-list mailing list
> > > > unsubscribe 
> > mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list