pam, ldap: pam_groupdn ignored / not compatible with local users
Dear list members
I am not sure if this is an Debian or ldap / pam issue. Please forgive
me if this is not the appropriate list to post.
I am trying to restrict access to our hosts by setting pam_groupdn and
pam_member_attribute in /etc/pam_ldap.conf.
Checking the logs of ldap show that pam indeed checks for membership
of the appropriate group:
May 11 11:55:01 golpweb slapd[23085]: conn=326 op=4 CMP
dn="cn=host_golpweb,ou=groups,dc=golp,dc=ist,dc=utl,dc=pt"
attr="memberUid"
May 11 11:55:01 golpweb slapd[23085]: conn=326 op=4 RESULT tag=111
err=5 text=
However the user is allowed to login in any case.
I found this post <http://lists.debian.org/debian-user/2005/08/msg00867.html
>
which suggests that
account sufficient pam_unix.so
should be removed from
/etc/pam.d/common-account
I tried this and it works. However
Removing pam_unix essentially inhibits locally created users,
including the root user.
One possible workaround would be to create all users in the ldap
database, again including the root user. I am just not feeling very
comfortable about the fact that root can only login if the ldap server
is in fact up and running. This seems especially paradox for the
server that runs slapd.
I am quite convinced that I am just missing something:
- Is there a way to restrict access for a certain group for ldap users
while /etc/passwd users have unrestricted access?
- In case pam_groupdn is not the way to go, can you recommend an
alternative?
- Right now I am using a custom ldap attribute called authorization
and a pam ldap search filter of "pam_filter
authorization=host.golpweb". This works, but is this a good approach?
Your comments are appreciated!
Best regards,
Michael Marti.
--
----------------------------------------------------------------------------
Michael Marti
Instituto Superior Técnico
Instituto de Plasmas e Fusão Nuclear
Complexo Interdisciplinar
Av. Rovisco Pais
1049-001 Lisboa
Portugal
Tel: +351 218 419 379
Fax: +351 218 464 455
Mobile: +351 968 434 327
----------------------------------------------------------------------------
Reply to: