ldap.conf: 'pam_groupdn' being completely ignored?
Brian Jones
jonesy at CS.Princeton.EDU
Tue Jan 6 20:03:45 UTC 2004
Thanks a lot for the prompt reply. This is, essentially, what I'm trying
to do. However, I'd rather do all the configuration in one place if I can.
My first choice is to do it using pam_groupdn, because then it's only
one file that gets altered (/etc/ldap.conf). I don't really see a reason
for it not to work, unless an RPM was goofed up or my config is wrong,
which is hard to do being that it's ONE key/value pair.
My second option is to use 'compat' mode and reference a netgroup
(stored in LDAP) in my passwd/shadow files. This doesn't seem to be as
straightforward as I thought it might be. I can see the searches going
by for the netgroup, but the filter isn't being 'OR'd with a uid of any
kind.
Your idea is already on the list of stuff that I *can* do if I'm
cornered, but this workaround doesn't address why the initial problem
occurs. Option one was easy in RH 9, option 2 works in RH ES/AS/WS,
option 3 will probably work, but this is horribly inconsistent and gives
the appearance of flakiness. I was hoping not to have to tear open
source rpms and code, but...
Thanks again,
brian.
Bevan C. Bennett wrote:
> Brian Jones wrote:
>
>> Hi,
>>
>> Just looking for confirmation: Anyone using fedora core 1 with
>> 'pam_groupdn' enabled in the ldap.conf file? I've used this before on
>> RH 9 without a problem, but now I'm not even seeing any searches going
>> to my LDAP server at all with regard to the value in pam_groupdn. It's
>> as if the value is being completely ignored. No errors either.
>
>
> No help with pam_groupdn, but if what you're trying to accomplish is,
> for example, to only allow administrative ssh access to a server, you
> might want to try something like the following instead:
>
> Add the following line into /etc/pam.d/sshd
> account required pam_access.so
>
> (also into telnetd and any other services you want to restrict)
>
> Add the following list to /etc/security/access.conf
> -:ALL EXCEPT wheel itgroup:ALL
>
> Where 'itgroup' is a POSIX group containing your allowed users, possibly
> stored in LDAP.
>
> I dimly recall playing with pam_groupdn for awhile then abandoning those
> efforts in favor of this approach.
>
>
More information about the fedora-list
mailing list