[Fedora-directory-users] Apache Auth/pam_check_host_attr?

Brian Kosick bkosick at mxlogic.com
Thu Jan 4 00:03:30 UTC 2007 

Hi All,

I've been using FDS for quite a while now, and I'd just like to say I
love it great job!  I'm posting this question because I've been banging
my head for awhile about it.

I'm using FDS as the central Auth server in a pretty much all RH/FC
environment, and currently use pam_check_host_attr to control which
users are allowed to login to which servers.   All was working great
until I upgraded our internal WWW server from RHEL3 to FC6.   The WWW
server is/was using mod_authz_ldap apache module to control what groups
were allowed to login to certain sections of the website, after the
upgrade to FC6, group restrictions stopped working.  Basically, apache
+mod_authz_ldap started denying users that didn't have the WWW server in
the hosts attribute.

My goal is to allow/dis-allow SSH/telnet etc etc using
pam_check_host_attr, but still allow them to login to the http areas of
the server using ldap groups.

Here's my authz_ldap conf

<Directory /var/TEMP/>
      AuthType                  Basic
      AuthName                  "Temporary Folder to Disseminate files"

      AuthzLDAPAuthoritative    On
      AuthzLDAPMethod           ldap
      AuthzLDAPProtocolversion  3
      #AuthzLDAPLogLevel         debug
      AuthzLDAPServer           server.domain.com

      AuthzLDAPUserBase         ou=People,dc=corp,dc=domain,dc=com
      AuthzLDAPUserKey          uid

      AuthzLDAPGroupBase        ou=Groups,dc=corp,dc=domain,dc=com
      AuthzLDAPGroupkey         cn
      AuthzLDAPMemberKey        uniquemember
      AuthzLDAPSetGroupAuth     ldapdn

      Require group qausers dev ops psg threat se

   </Directory>

Like I said this used to work the way I wanted with RHEL3 and an older
version of mod_authz_ldap, can anyone point the way for me?  Now with
FC6 and the authz_ldap that comes with it, I get the error in the
httpd_error.log:

[error] [client 10.30.0.200] PAM: user 'test'  - invalid account:
Permission denied

Now, it only works when I add the FQDN for the WWW server to the users
hosts attribute.  But then the user can SSH to the server also (which I
don't want).


Also asking a second question, can you use hostobject or account with
groups in order to restrict logins using pam_check_host_attr?


I thank you in advance for any pointers, suggestions, or kicks to the
head that will help me resolve my problem.

-- 
Brian Kosick

More information about the Fedora-directory-users mailing list