Adding LDAP netgroup access control to pam_access.so via access.conf

To: debian-security@lists.debian.org
Subject: Adding LDAP netgroup access control to pam_access.so via access.conf
From: Robert Carleton <rbc@insidernewswire.com>
Date: Wed, 11 Jun 2008 11:09:45 -0700
Message-id: <[🔎] 485014E9.9050001@insidernewswire.com>

I'm trying to apply access controls to a Debian Sarge (libc6) systemusing netgroups that have been added to LDAP. LDAP Authenticationalready works. The /etc/nsswitch.conf file has the line"netgroup: ldap". I can also use getent to show me the netgrouptriples that I want to see. I feel pretty confident that I haveproperly distributed the netgroup map to the client via LDAP.

What's not working is applying netgroups as an access controlmechanism. I added the following to /etc/security/access.conf:


+ : root : LOCAL
+ : @sysadmins : ALL
- : ALL : ALL

I also uncommented the line "account required pam_access.so" in/etc/pam.d/login. I've been testing with ssh access. I triedrestarting sshd. I also restarted nscd after making changed.


The net effect is that there are still no access controls.

I may be missing something, but I can't figure out what it is. Anysuggestions?


Thanks,

  --Bruce

Reply to:

Prev by Date: RE: [SECURITY] [DSA 1592-2] New Linux 2.6.18 packages fix overflow conditions
Next by Date: Re: [SECURITY] [DSA 1594-1] New imlib2 packages fix arbitrary code execution
Previous by thread: RE: [SECURITY] [DSA 1592-2] New Linux 2.6.18 packages fix overflow conditions
Next by thread: Re: [SECURITY] [DSA 1594-1] New imlib2 packages fix arbitrary code execution
Index(es):
- Date
- Thread