[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

pam, ldap: pam_groupdn ignored / not compatible with local users

Dear list members

I am not sure if this is an Debian or ldap / pam issue. Please forgive me if this is not the appropriate list to post.

I am trying to restrict access to our hosts by setting pam_groupdn and pam_member_attribute in /etc/pam_ldap.conf.

Checking the logs of ldap show that pam indeed checks for membership of the appropriate group:

May 11 11:55:01 golpweb slapd[23085]: conn=326 op=4 CMP dn="cn=host_golpweb,ou=groups,dc=golp,dc=ist,dc=utl,dc=pt" attr="memberUid" May 11 11:55:01 golpweb slapd[23085]: conn=326 op=4 RESULT tag=111 err=5 text=

However the user is allowed to login in any case.

I found this post <http://lists.debian.org/debian-user/2005/08/msg00867.html >
which suggests that
  account	sufficient	pam_unix.so
should be removed from

I tried this and it works. However

Removing pam_unix essentially inhibits locally created users, including the root user.

One possible workaround would be to create all users in the ldap database, again including the root user. I am just not feeling very comfortable about the fact that root can only login if the ldap server is in fact up and running. This seems especially paradox for the server that runs slapd.

I am quite convinced that I am just missing something:
- Is there a way to restrict access for a certain group for ldap users while /etc/passwd users have unrestricted access? - In case pam_groupdn is not the way to go, can you recommend an alternative? - Right now I am using a custom ldap attribute called authorization and a pam ldap search filter of "pam_filter authorization=host.golpweb". This works, but is this a good approach?

Your comments are appreciated!

Best regards,
Michael Marti.

Michael Marti
Instituto Superior Técnico
Instituto de Plasmas e Fusão Nuclear
Complexo Interdisciplinar
Av. Rovisco Pais
1049-001 Lisboa

Tel:       +351 218 419 379
Fax:      +351 218 464 455
Mobile:  +351 968 434 327

Reply to: