[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: pam, ldap: pam_groupdn ignored / not compatible with local users

On Mon, May 11, 2009 at 11:35:14PM +0100, Michael Marti wrote:
> Dear list members
> I am not sure if this is an Debian or ldap / pam issue. Please forgive  
> me if this is not the appropriate list to post.
> I am trying to restrict access to our hosts by setting pam_groupdn and  
> pam_member_attribute in /etc/pam_ldap.conf.

I do my in the filter command 

filter passwd

and I set the host attribute as needed

this is my common-auth

auth [success=1 default=ignore] pam_unix2.so
auth required pam_ldap.so use_first_pass
auth required pam_permit.so

one thing to check is

getent passwd | sort 

look for the userid and see if it pops up twice 



> I am quite convinced that I am just missing something:
> - Is there a way to restrict access for a certain group for ldap users  
> while /etc/passwd users have unrestricted access?
> - In case pam_groupdn is not the way to go, can you recommend an  
> alternative?
> - Right now I am using a custom ldap attribute called authorization and a 
> pam ldap search filter of "pam_filter authorization=host.golpweb". This 
> works, but is this a good approach?

each to there own I guess, I can't remember why i did it this way, I
have it setup on multiple machines this way for some reason that i can
remember - it works

> Your comments are appreciated!
> Best regards,
> Michael Marti.

Mustrum Ridcully did a lot for rare species. For one thing, he kept
them rare.
(Lords and Ladies)

Attachment: signature.asc
Description: Digital signature

Reply to: