ldap.conf: 'pam_groupdn' being completely ignored?
Bevan C. Bennett
bevan at fulcrummicro.com
Tue Jan 6 20:30:32 UTC 2004
Brian Jones wrote:
> Thanks a lot for the prompt reply. This is, essentially, what I'm trying
> to do. However, I'd rather do all the configuration in one place if I can.
I think the main reason I ended up doing it with pam_access was for a
server where I need users to be able to authenticate (through pam_ldap)
to other services, but didn't want them logging in directly through ssh.
IIRC, pam_groupdn will restrict access for all services that reference
pam_ldap.
> My first choice is to do it using pam_groupdn, because then it's only
> one file that gets altered (/etc/ldap.conf). I don't really see a reason
> for it not to work, unless an RPM was goofed up or my config is wrong,
> which is hard to do being that it's ONE key/value pair.
If I understand correctly, you haven't changed the LDAP server any, and
this works on a RH9 box with the same ldap.conf file? Do the pam_ldap
entries differ substantially between the two boxes in the relevant
/etc/pam.d/* files (probably system-auth)?
> My second option is to use 'compat' mode and reference a netgroup
> (stored in LDAP) in my passwd/shadow files. This doesn't seem to be as
> straightforward as I thought it might be. I can see the searches going
> by for the netgroup, but the filter isn't being 'OR'd with a uid of any
> kind.
That sounds nasty and kludgy.
> Your idea is already on the list of stuff that I *can* do if I'm
> cornered, but this workaround doesn't address why the initial problem
> occurs. Option one was easy in RH 9, option 2 works in RH ES/AS/WS,
> option 3 will probably work, but this is horribly inconsistent and gives
> the appearance of flakiness. I was hoping not to have to tear open
> source rpms and code, but...
Very true, but it's always good to have options. Why do you say that
using pam_access gives the appearance of flakiness? I've found it to be
robust on servers running RH7.3 through FC1.
Let's see if we can narrow down your pam_groupdn problems better.
Discussing whether or not pam_groupdn is the best solution to your
particular environment is a rather different (although potentially
interesting) discussion that we can leave for later.
-Bevan Bennett
More information about the fedora-list
mailing list