User Auth with PAM and LDAP

[thomas emde scaleon de]

Hello,

I have stored my user accounts in an LDAP database and for some reason there are
still some users in /etc/passwd.
Now I would like to let both types of users have access to certain linux boxes
via ssh.
In my /etc/pam.d/sshd I have the following lines:

auth     sufficient     /lib/security/pam_ldap.so
auth     required       /lib/security/pam_unix.so       # set_secrpc
auth     required       /lib/security/pam_nologin.so
auth     required       /lib/security/pam_env.so
auth     required       /lib/security/pam_mail.so
account  sufficient     /lib/security/pam_ldap.so
account  required       /lib/security/pam_unix.so
password required       /lib/security/pam_pwcheck.so
password required       /lib/security/pam_unix.so       use_first_pass
use_authtok
password sufficient     /lib/security/pam_ldap.so
session  required       /lib/security/pam_unix.so       none # trace or debug
session  required       /lib/security/pam_limits.so

This way it works fine, but additionally I would like to restrict the access of
users only to certain hosts using the
"host" attribute in ldap where the accessible hosts are listed. But with the
above configuration this won't work,
the user can access any host, even if not listed in the ldap database (yes I use
"pam_check_host_attr=yes" in
my ldap configuration). If I change the "auth sufficient
/lib/security/pam_ldap.so" into "auth required...", the host attribute
is checked but now the "/etc/passwd"-users cannot login at all.

Any ideas or hints are greatly appreciated...

mit freundlichen Grüßen/with best regards
Thomas Emde
________________________
ScaleOn GmbH & Co. KG
Systems Engineering 1
Geb. B151, Raum 117
D-51368 Leverkusen
Telefon     +49 214/30-67603
Telefax     +49 214/30-24887
E-Mail      thomas.emde@scaleon.de
Internet    http://www.scaleon.de