[Resolved] Found a way of allowing pam_ldap users (with pam_grou
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I've been trying to get LDAP ssh authentication to work for a while, and
I found a bug (http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/116150) in
pam_unix.so, that breaks support for ldap-group/host-restrictions the
ldap-way.
I saw numerous emails about pam_groupdn-ldap-restrictions on the
mailinglists dating back to 2001, but no resolution for how to get it
playing, so this is a working fix, until pam_unix.so and pam_ldap.so
plays well together:
The recommended setup, UNIX and LDAP logins work, but
groupdn/check_host_attr restrictions dosn't:
account sufficient /usr/local/lib/pam_ldap.so
account required pam_login_access.so
account required pam_unix.so local_pass
You want only LDAP users, and no local root-account, this works:
account sufficient /usr/local/lib/pam_ldap.so
account required pam_login_access.so
account required pam_deny.so
This is what I ended up as a quickfix, until pam_unix.so is playing
right again:
# account
account sufficient /usr/local/lib/pam_ldap.so
account required pam_login_access.so
account required /usr/local/lib/pam_require.so root
account required pam_unix.so local_pass
This basicly restricts local accounts to the root-account, and honours
ldap-pam-restrictions, that a user should explicitly have access to the
machine. So one can still login with root-account if ldap-server(s) for
some reason isn't authenticating properly.
Hope this can be helpful to other users struggling with ldap-group/host
restrictions, and don't have to spend as much time as I did debuging it.
Regards,
Daniel Bond,
NSN ASA.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG4Ad0UR3pKhqN0EoRAheaAKCd7GRLVDzaa9NYkHY2+u5kNScV8gCeN21T
r8XHQNqJgB0tYIuZUTIrIf8=
=ChTy
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"