Jean-Yves Migeon wrote:
Hi all :)
Currently migrating an old debian system (NIS, samba2 and a couple of
other services), to a new machine mainly configured around LDAP, I
needed some sort of access restriction, mainly to deny access to
particular group of users on certain clients/servers.
So, I created defined groups of users (like admins, printer-admins, and
so on) in ldap, and decided to restrict their access using the
pam_groupdn attribute in /etc/pam_ldap.conf file.
However, it doesn't seem to work as intended.
Authentication works, a "getent passwd" correctly adds users to the
lists (using NSS), but for services like ssh, or login via terminal,
even users that do not belong to the group defined by pam_groupdn
attribute are still able to login.
Here are the config files I'm working with.
/etc/pam.d/ssh
auth required /lib/security/pam_unix.so
shadow nullok
auth sufficient /lib/security/pam_ldap.so try_first_pass
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_unix.so nullok
use_authtok shadow
password sufficient /lib/security/pam_ldap.so
session required /lib/security/pam_unix.so
/etc/pam.d/pam_ldap.conf
host 127.0.0.1
base dc=bde,dc=espci,dc=fr
ldap_version 3
scope sub
timelimit 30
pam_filter objectClass=posixAccount
pam_login_attribute uid
pam_password crypt
pam_groupdn cn=mathilda,ou=linux,dc=bde,dc=espci,dc=fr
pam_member_attribute member
nss_base_passwd ou=promos,dc=bde,dc=espci,dc=fr?sub
nss_base_shadow ou=promos,dc=bde,dc=espci,dc=fr?sub
nss_base_group ou=groups,dc=bde,dc=espci,dc=fr?sub
/etc/ssh/sshd_config
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
PasswordAuthentication no
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
Subsystem sftp /usr/lib/sftp-server
UsePAM yes
Nevertheless, when logging in, I still get a warning message indicating
that the pam_groupdn attribute does work:
bash-3.00$ ssh jymtest@192.168.1.225
Password:
You must be a member of cn=mathilda,ou=linux,dc=bde,dc=espci,dc=fr to
login.
Last login: Thu Aug 4 18:10:07 2005 from localhost.localdomain
I have no name!@mat2 18:32:46:~$
As you can see, even when not belonging to the group, I still get
access to the server.
After testing multiple scenarios and options, I ended up with this
line, where the pam_unix module seems to grant access to user, even
when he's not in pam_groupdn group. Quoting it, or turning the control
flag to sufficient, completely blocks authentification via ssh, for
ldap users as for system users, like root.
account required /lib/security/pam_unix.so
That's all I noticed so far. I couldn't tell if the problem was coming
from the pam_ldap or pam_unix libraries, or, more simple, a
misconfiguration from me ^^
I know I could use some other user access restriction modules (like
pam_wheel), but the pam_groupdn was really THE solution for my case.
Having this configured directly into ldap, and using aliases for ipHost
<> hostname, I could handle all the restriction directly from
pam_ldap.conf, and do not necessarily need to edit all the pam.d/*
files.
Some googling brings up this problem elsewhere too:
http://lists.debian.org/debian-user-french/2003/11/msg01094.html
(2003,
but seems to be the same problem as me)
http://lists.freebsd.org/pipermail/freebsd-questions/2004-October/061443.html
Right now, I'm stuck with it. If anybody notices some errors in my conf
files, or got this to work properly, I'd be glad to know how they did.
Thanking you in advance for any help you may bring :-) ,
Jean-Yves Migeon.
Alright, at last, I got it to work, with this pam.d/ssh file (do not
blame me, i ll explain the thing right after)
auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so
The thing is, NSS tends to add the ldap users to standard C libraries,
and the pam_unix.so module does NOT make any difference whether it
comes from ldap, or from /etc/passwd, etc/shadow ... files.
Many way to fix this: removing ldap from /etc/nsswitch.conf , adding
system user entry to ldap yellow pages, or fine tuning PAM.
Anyway, it works now.
Spooky, I barely touched anything; got the thing to work after an hour
or so...
jy
|