ldap.conf: 'pam_groupdn' being completely ignored?

Bevan C. Bennett bevan at fulcrummicro.com
Tue Jan 6 20:30:32 UTC 2004 

Brian Jones wrote:
> Thanks a lot for the prompt reply. This is, essentially, what I'm trying 
> to do. However, I'd rather do all the configuration in one place if I can.

I think the main reason I ended up doing it with pam_access was for a 
server where I need users to be able to authenticate (through pam_ldap) 
to other services, but didn't want them logging in directly through ssh.

IIRC, pam_groupdn will restrict access for all services that reference 
pam_ldap.

> My first choice is to do it using pam_groupdn, because then it's only 
> one file that gets altered (/etc/ldap.conf). I don't really see a reason 
> for it not to work, unless an RPM was goofed up or my config is wrong, 
> which is hard to do being that it's ONE key/value pair.

If I understand correctly, you haven't changed the LDAP server any, and 
this works on a RH9 box with the same ldap.conf file? Do the pam_ldap 
entries differ substantially between the two boxes in the relevant 
/etc/pam.d/* files (probably system-auth)?

> My second option is to use 'compat' mode and reference a netgroup 
> (stored in LDAP) in my passwd/shadow files. This doesn't seem to be as 
> straightforward as I thought it might be. I can see the searches going 
> by for the netgroup, but the filter isn't being 'OR'd with a uid of any 
> kind.

That sounds nasty and kludgy.

> Your idea is already on the list of stuff that I *can* do if I'm 
> cornered, but this workaround doesn't address why the initial problem 
> occurs. Option one was easy in RH 9, option 2 works in RH ES/AS/WS, 
> option 3 will probably work, but this is horribly inconsistent and gives 
> the appearance of flakiness. I was hoping not to have to tear open 
> source rpms and code, but...

Very true, but it's always good to have options. Why do you say that 
using pam_access gives the appearance of flakiness? I've found it to be 
robust on servers running RH7.3 through FC1.

Let's see if we can narrow down your pam_groupdn problems better. 
Discussing whether or not pam_groupdn is the best solution to your 
particular environment is a rather different (although potentially 
interesting) discussion that we can leave for later.

-Bevan Bennett

More information about the fedora-list mailing list