pam, ldap: pam_groupdn ignored / not compatible with local users

To: debian-user@lists.debian.org
Subject: pam, ldap: pam_groupdn ignored / not compatible with local users
From: Michael Marti <michael.marti@ist.utl.pt>
Date: Mon, 11 May 2009 23:35:14 +0100
Message-id: <[🔎] 646BC16D-A5C5-4B8F-8C82-11AAD03D7FEC@ist.utl.pt>

Dear list members

I am not sure if this is an Debian or ldap / pam issue. Please forgiveme if this is not the appropriate list to post.

I am trying to restrict access to our hosts by setting pam_groupdn andpam_member_attribute in /etc/pam_ldap.conf.

Checking the logs of ldap show that pam indeed checks for membershipof the appropriate group:

May 11 11:55:01 golpweb slapd[23085]: conn=326 op=4 CMPdn="cn=host_golpweb,ou=groups,dc=golp,dc=ist,dc=utl,dc=pt"attr="memberUid"May 11 11:55:01 golpweb slapd[23085]: conn=326 op=4 RESULT tag=111err=5 text=


However the user is allowed to login in any case.

I found this post <http://lists.debian.org/debian-user/2005/08/msg00867.html>

which suggests that
  account	sufficient	pam_unix.so
should be removed from
/etc/pam.d/common-account

I tried this and it works. However

Removing pam_unix essentially inhibits locally created users,including the root user.

One possible workaround would be to create all users in the ldapdatabase, again including the root user. I am just not feeling verycomfortable about the fact that root can only login if the ldap serveris in fact up and running. This seems especially paradox for theserver that runs slapd.


I am quite convinced that I am just missing something:

- Is there a way to restrict access for a certain group for ldap userswhile /etc/passwd users have unrestricted access?- In case pam_groupdn is not the way to go, can you recommend analternative?- Right now I am using a custom ldap attribute called authorizationand a pam ldap search filter of "pam_filterauthorization=host.golpweb". This works, but is this a good approach?


Your comments are appreciated!

Best regards,
Michael Marti.



--
----------------------------------------------------------------------------
Michael Marti
Instituto Superior Técnico
Instituto de Plasmas e Fusão Nuclear
Complexo Interdisciplinar
Av. Rovisco Pais
1049-001 Lisboa
Portugal


Tel:       +351 218 419 379
Fax:      +351 218 464 455
Mobile:  +351 968 434 327
----------------------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: pam, ldap: pam_groupdn ignored / not compatible with local users
  - From: Alex Samad <alex@samad.com.au>

Prev by Date: Re: Safe change of uid
Next by Date: Re: Safe change of uid
Previous by thread: Re: Unable to start postgresql on Debian
Next by thread: Re: pam, ldap: pam_groupdn ignored / not compatible with local users
Index(es):
- Date
- Thread