[389-users] Access.conf issue
Prashanth Sundaram
psundaram at wgen.net
Thu Nov 19 17:28:30 UTC 2009
The user is a part of both groupname and groupname2. I am in testing with
different combinations.
UsePAM yes is set in /etc/ssh/sshd_config
Reason for using pam_member_attribute uniquemember is because 389-ds groups
uses that attribute for group members.(see schema below) So to tell the
ldap.conf to look at that attribute to verify members. CORRECT ME IF I AM
WRONG
This is the schema of my groups
dn: cn=GroupName,ou=Groups, dc=domain, dc=com
gidNumber: 1010
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixGroup
uniqueMember: uid=username1,ou=People,dc=domain,dc=com
uniqueMember: uid=username2,ou=People,dc=domain,dc=com
cn: GroupName
True, I tried to put the account required pam_access.so to the pam.d/sshd,
but since it already includes the system-auth(which already has pam_access).
Hence I didn;t add manually to sshd.
/etc/pam.d/sshd
auth include system-auth
account required pam_nologin.so
account include system-auth
account required pam_access.so
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
What I am trying to accomplish?
I am trying to restrict the ssh access to all our servers based on the
groupmembership of posixgroups(groupname1 & 2). So say if a user does not
belong to that project he/she should not be able to ssh to that box.
Extra info which might or not be related: I am using Primary Group for all
users as their uidNumber. I think it is called ³User Private Groups² where
each user¹s uidNumber and gidNumber are same. This is to facilitate the
file/folders ownership in their home folder by using umask 022.
Stpierre from #389 IRC channel suggested that the syntax for posixGroups in
access.conf is not @groupname. But to change it something like below.
- : ALL EXCEPT root groupname groupname2 : ALL
Thanks for you help.
-Prashanth
* From: "Tidwell Robert - rtidwe" <Robert Tidwell acxiom com>
* To: <fedora-directory-users redhat com>
* Subject: RE: [389-users] Access.conf issue
* Date: Wed, 18 Nov 2009 11:15:32 -0600
Title: Access.conf issue
Is your user a part of the groupname or groupname2 group? And, is ³UsePAM
yes² and set in your sshd_config? Although, I am not sure that the
pam_member_attribute uniquemember is going to work in this situation. Pam
is looking to evaluate that the user is a member of the group that you
specify for ³pam_groupdn² in ldap.conf. Based on what you are saying, you
are simply using pam_access to control ssh access to the server. But
instead of the pam_access line being in system_auth, I have it in
/etc/pam.d/sshd, which it looks like yours is also based on the error
messages. Robert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20091119/1cf3817f/attachment.html>
More information about the 389-users
mailing list