FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 05-29-2008, 07:41 AM
Bogdan Cehan
 
Default problems with pam ldap ?

Hello all



I'm using the fedora directory server for centralized authentication ,
and i have made users with posix account and i put them in ou=People
like this :
---------------------------------------------------------------------------------------------
# alexadu, People, pol.mediaimage.ro
dn: uid=alexadu,ou=People,dc=pol,dc=ro
givenName: Alexandra
sn: Dumitru
loginShell: /bin/bash
uidNumber: 1069
gidNumber: 100
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: alexadu
cn: Alexandra Dumitru
homeDirectory: /home/alexadu
------------------------------------------------------------------------------------------
and after that i made some groups
in ou=Groups
like this :
-----------------------------------------------------------------------------------------
# Server1, Groups, pol.ro
dn: cn=Server1,ou=Groups,dc=pol,dc=ro
description: group for users that have access on server 1
objectClass: top
objectClass: groupofuniquenames
uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro
uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro
cn: Server1
----------------------------------------------------------------------------------------


and my ldap.conf looks like this :



URI ldap://lacatzel.pol.ro
port=389
BASE dc=pol,dc=ro
host lacatzel.pol.ro
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
scope sub
bind_policy soft
#pam_password exop
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro
pam_check_host_attr yes
nss_default_attribute_value loginShell /bin/false
nss_base_passwd ou=People,dc=pol,dc=ro
nss_base_shadow ou=People,dc=pol,dc=ro
nss_base_group ou=People,dc=pol,dc=ro
---------------------------------------------------------------------------------------------

now i want to restrict some users to servers based on groups but my pam_ldap
does not help me to do that , I'm using my old friend "www.google.com" to
help me in this problem but with no luck ..... all my users have access to
this computer .... so , if i understand wright all i have to do is create
users with posix account and after that create groups and put the users in
that group but this does not work ..... any ideas ? anyone use FDS for what i
intend to do ?



Thank you for your time .....



Bogdan
























--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 05-29-2008, 09:23 AM
Jonathan Barber
 
Default problems with pam ldap ?

On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote:
> Hello all
>
>
>
> I'm using the fedora directory server for centralized authentication ,
> and i have made users with posix account and i put them in ou=People
> like this :

[snip]

> now i want to restrict some users to servers based on groups but my pam_ldap
> does not help me to do that , I'm using my old friend "www.google.com" to
> help me in this problem but with no luck ..... all my users have access to
> this computer .... so , if i understand wright all i have to do is create
> users with posix account and after that create groups and put the users in
> that group but this does not work ..... any ideas ? anyone use FDS for what i
> intend to do ?

The pam_access module may help you do this depending on what you mean by
"restrict".

> Thank you for your time .....
>
>
>
> Bogdan

--
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 05-29-2008, 09:40 AM
Bogdan Cehan
 
Default problems with pam ldap ?

Let's say i have users : alex , tom , john , joe and bruce
and the computers comp1 , comp2 and comp3



and in my ldap i have the users on ou=People with posixaccount
and three groups named after the computers like :


cn=comp1,ou=Groups ....
objectClass: top
objectClass: groupOfUniqueNames
cn: comp1
ou: groups
description: People who can login on comp1
uniqueMember: uid=alex,ou=People,dc=pol,dc=mediaimage,dc=ro
uniqueMember: uid=joe,ou=People,dc=pol,dc=mediaimage,dc=ro
uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro
-----------------------------------------------------------------------------------------


cn=comp2,ou=Groups ....
objectClass: top
objectClass: groupOfUniqueNames
cn: comp3
ou: groups
description: People who can login on comp2
uniqueMember: uid=alex,ou=People,dc=pol,dc=mediaimage,dc=ro
uniqueMember: uid=tom,ou=People,dc=pol,dc=mediaimage,dc=ro
uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro
-----------------------------------------------------------------------------------------

cn=comp3,ou=Groups ....
objectClass: top
objectClass: groupOfUniqueNames
cn: comp3
ou: groups
description: People who can login on comp3
uniqueMember: uid=john,ou=People,dc=pol,dc=mediaimage,dc=ro
uniqueMember: uid=joe,ou=People,dc=pol,dc=mediaimage,dc=ro
uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro
-----------------------------------------------------------------------------------------



in this schema let's say that i want to be able to "permit " login acces to
the computers only to the people i have in their group















> On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote:
> > Hello all
> >
> >
> >
> > I'm using the fedora directory server for centralized authentication ,
> > and i have made users with posix account and i put them in ou=People
> > like this :
>
> [snip]
>
> > now i want to restrict some users to servers based on groups but my
> > pam_ldap does not help me to do that , I'm using my old friend
> > "www.google.com" to help me in this problem but with no luck ..... all
> > my users have access to this computer .... so , if i understand wright
> > all i have to do is create users with posix account and after that create
> > groups and put the users in that group but this does not work ..... any
> > ideas ? anyone use FDS for what i intend to do ?
>
> The pam_access module may help you do this depending on what you mean by
> "restrict".
>
> > Thank you for your time .....
> >
> >
> >
> > Bogdan


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 05-29-2008, 01:09 PM
"Edward Capriolo"
 
Default problems with pam ldap ?

There are a few ways.
I found the best way is to specify
pam_groupdb and pam_member_attribute. This allows you to create a
simple ldap object that says who can log into what system.

Edward

On Thu, May 29, 2008 at 5:40 AM, Bogdan Cehan
<bogdan.cehan@mediaimage.ro> wrote:
> Let's say i have users : alex , tom , john , joe and bruce
> and the computers comp1 , comp2 and comp3
>
>
>
> and in my ldap i have the users on ou=People with posixaccount
> and three groups named after the computers like :
>
>
> cn=comp1,ou=Groups ....
> objectClass: top
> objectClass: groupOfUniqueNames
> cn: comp1
> ou: groups
> description: People who can login on comp1
> uniqueMember: uid=alex,ou=People,dc=pol,dc=mediaimage,dc=ro
> uniqueMember: uid=joe,ou=People,dc=pol,dc=mediaimage,dc=ro
> uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro
> -----------------------------------------------------------------------------------------
>
>
> cn=comp2,ou=Groups ....
> objectClass: top
> objectClass: groupOfUniqueNames
> cn: comp3
> ou: groups
> description: People who can login on comp2
> uniqueMember: uid=alex,ou=People,dc=pol,dc=mediaimage,dc=ro
> uniqueMember: uid=tom,ou=People,dc=pol,dc=mediaimage,dc=ro
> uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro
> -----------------------------------------------------------------------------------------
>
> cn=comp3,ou=Groups ....
> objectClass: top
> objectClass: groupOfUniqueNames
> cn: comp3
> ou: groups
> description: People who can login on comp3
> uniqueMember: uid=john,ou=People,dc=pol,dc=mediaimage,dc=ro
> uniqueMember: uid=joe,ou=People,dc=pol,dc=mediaimage,dc=ro
> uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro
> -----------------------------------------------------------------------------------------
>
>
>
> in this schema let's say that i want to be able to "permit " login acces to
> the computers only to the people i have in their group
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>> On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote:
>> > Hello all
>> >
>> >
>> >
>> > I'm using the fedora directory server for centralized authentication ,
>> > and i have made users with posix account and i put them in ou=People
>> > like this :
>>
>> [snip]
>>
>> > now i want to restrict some users to servers based on groups but my
>> > pam_ldap does not help me to do that , I'm using my old friend
>> > "www.google.com" to help me in this problem but with no luck ..... all
>> > my users have access to this computer .... so , if i understand wright
>> > all i have to do is create users with posix account and after that create
>> > groups and put the users in that group but this does not work ..... any
>> > ideas ? anyone use FDS for what i intend to do ?
>>
>> The pam_access module may help you do this depending on what you mean by
>> "restrict".
>>
>> > Thank you for your time .....
>> >
>> >
>> >
>> > Bogdan
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 05-29-2008, 04:16 PM
Nalin Dahyabhai
 
Default problems with pam ldap ?

On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote:
> I'm using the fedora directory server for centralized authentication ,
> and i have made users with posix account and i put them in ou=People
> like this :
[snip]
> # Server1, Groups, pol.ro
> dn: cn=Server1,ou=Groups,dc=pol,dc=ro
> description: group for users that have access on server 1
> objectClass: top
> objectClass: groupofuniquenames
> uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro
> uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro
> cn: Server1
[snip]
> and my ldap.conf looks like this :
>
> URI ldap://lacatzel.pol.ro
> port=389
> BASE dc=pol,dc=ro
> host lacatzel.pol.ro
> TLS_CACERTDIR /etc/openldap/cacerts
> TLS_REQCERT allow
> scope sub
> bind_policy soft
> #pam_password exop
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> pam_member_attribute memberUid
> pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro

[snip]

The combination of the pam_groupdn and pam_member_attribute settings you
have here instructs pam_ldap to check for the user's DN among the values
for the group object's "memberUid" attribute, but the user's DN is
stored in the "uniqueMember" attribute. Try changing that (or
removing it, because "pam_member_attribute uniquemember" is the
default).

But if that were the only problem, I'd expect that none of your users
would be able to log in. You should probably double-check that your PAM
configuration is able to deny users entry when pam_ldap's account
management function (which is the part that checks group membership)
returns a failure.

HTH,

Nalin

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 05-30-2008, 07:41 AM
Bogdan Cehan
 
Default problems with pam ldap ?

Ok
so now my configuration looks like this

# Server1, Groups, pol.mediaimage.ro
dn: cn=Server1,ou=Groups,dc=pol,dc=ro
objectClass: top
objectClass: posixgroup
cn: Server1
gidNumber: 100
memberUid: alex
memberUid: vion

and ldap.conf :

URI ldap://lacatzel.pol.ro
port=389
BASE dc=pol,dc=ro
host lacatzel.pol.ro
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
scope sub
bind_policy soft
#pam_password exop
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro
pam_check_host_attr yes
nss_default_attribute_value loginShell /bin/false
nss_base_passwd ou=People,dc=pol,dc=ro
nss_base_shadow ou=People,dc=pol,dc=ro
nss_base_group ou=People,dc=pol,dc=ro

and pam system-auth :

auth required pam_env.so
auth [success=ignore default=1] pam_localuser.so
auth [success=done new_authtok_reqd=done default=1] pam_unix.so
likeauth nullok try_first_pass
auth sufficient pam_ldap.so try_first_pass
auth required pam_deny.so

account sufficient pam_unix.so
account required pam_access.so
account sufficient pam_ldap.so

password required pam_cracklib.so difok=2 minlen=2 dcredit=2
ocredit=2 retry=1
password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so
#Creates the home directories if they do not exist
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_ldap.so


but with all this all users could login to the system with no problem






> On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote:
> > I'm using the fedora directory server for centralized
> > authentication , and i have made users with posix account and i
> > put them in ou=People like this :
>
> [snip]
>
> > # Server1, Groups, pol.ro
> > dn: cn=Server1,ou=Groups,dc=pol,dc=ro
> > description: group for users that have access on server 1
> > objectClass: top
> > objectClass: groupofuniquenames
> > uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro
> > uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro
> > cn: Server1
>
> [snip]
>
> > and my ldap.conf looks like this :
> >
> > URI ldap://lacatzel.pol.ro
> > port=389
> > BASE dc=pol,dc=ro
> > host lacatzel.pol.ro
> > TLS_CACERTDIR /etc/openldap/cacerts
> > TLS_REQCERT allow
> > scope sub
> > bind_policy soft
> > #pam_password exop
> > pam_filter objectclass=posixAccount
> > pam_login_attribute uid
> > pam_member_attribute memberUid
> > pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro
>
> [snip]
>
> The combination of the pam_groupdn and pam_member_attribute
> settings you have here instructs pam_ldap to check for the user's
> DN among the values for the group object's "memberUid" attribute,
> but the user's DN is stored in the "uniqueMember" attribute. Try
> changing that (or removing it, because "pam_member_attribute
> uniquemember" is the default).
>
> But if that were the only problem, I'd expect that none of your
> users would be able to log in. You should probably double-check
> that your PAM configuration is able to deny users entry when
> pam_ldap's account management function (which is the part that
> checks group membership) returns a failure.
>
> HTH,
>
> Nalin
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 05-30-2008, 04:35 PM
Nalin Dahyabhai
 
Default problems with pam ldap ?

On Fri, May 30, 2008 at 10:41:09AM +0300, Bogdan Cehan wrote:
> Ok
> so now my configuration looks like this
>
> # Server1, Groups, pol.mediaimage.ro
> dn: cn=Server1,ou=Groups,dc=pol,dc=ro
> objectClass: top
> objectClass: posixgroup
> cn: Server1
> gidNumber: 100
> memberUid: alex
> memberUid: vion
>
> and ldap.conf :
>

[snip]

> pam_member_attribute memberUid
> pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro

That's probably not going to work -- pam_ldap is still going to check
for the DN of the user's entry in the memberUid attribute, and not the
user's name.

[snip]

> and pam system-auth :
[snip]
> account sufficient pam_unix.so
> account required pam_access.so
> account sufficient pam_ldap.so

I suspect pam_unix is checking for an expired password (and if you're
using nss_ldap, it'll be able to "see" users you've defined in the
directory), determining that the user's password has not expired, and
returning success.

There's also the subtle problem that if a "sufficient" module fails, it
doesn't actually cause the whole PAM stack to be counted as a failure,
so even if both pam_unix.so and pam_ldap.so failed, the user might still
be allowed access. I'd suggest something like this instead:
account required pam_unix.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_access.so

I haven't tried it myself, but I think that'll work.

HTH,

Nalin

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 

Thread Tools




All times are GMT. The time now is 05:15 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org