[Resolved] Found a way of allowing pam_ldap users (with pam_groupdn or pam_check_host_attr restrictions), AND allowing local root authentication, without pam_unix.so taking presense due to getpwent() returns ldap-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I've been trying to get LDAP ssh authentication to work for a while, and
I found a bug (http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/116150) in
pam_unix.so, that breaks support for ldap-group/host-restrictions the
ldap-way.

I saw numerous emails about pam_groupdn-ldap-restrictions on the
mailinglists dating back to 2001, but no resolution for how to get it
playing, so this is a working fix, until pam_unix.so and pam_ldap.so
plays well together:




The recommended setup, UNIX and LDAP logins work, but
groupdn/check_host_attr restrictions dosn't:

account sufficient /usr/local/lib/pam_ldap.so
account required pam_login_access.so
account required pam_unix.so local_pass


You want only LDAP users, and no local root-account, this works:

account sufficient /usr/local/lib/pam_ldap.so
account required pam_login_access.so
account required pam_deny.so


This is what I ended up as a quickfix, until pam_unix.so is playing
right again:

# account
account sufficient /usr/local/lib/pam_ldap.so
account required pam_login_access.so
account required /usr/local/lib/pam_require.so root
account required pam_unix.so local_pass


This basicly restricts local accounts to the root-account, and honours
ldap-pam-restrictions, that a user should explicitly have access to the
machine. So one can still login with root-account if ldap-server(s) for
some reason isn't authenticating properly.


Hope this can be helpful to other users struggling with ldap-group/host
restrictions, and don't have to spend as much time as I did debuging it.

Regards,


Daniel Bond,
NSN ASA.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG4Ad0UR3pKhqN0EoRAheaAKCd7GRLVDzaa9NYkHY2+u5kNScV8gCeN21T
r8XHQNqJgB0tYIuZUTIrIf8=
=ChTy
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Ubuntu in complex office situations
    ... I understand the frustration. ... I spent weeks getting this to work for ... there is a proposal to make LDAP much simpler: ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ...
    (Ubuntu)
  • adding users
    ... I need to add a local user to a system that authenticates ... user in LDAP, or I would just add it there. ... Systems Administrator ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ...
    (Fedora)
  • Re: [PHP] getting authentication information from apache
    ... try echo $PHP_AUTH_USER; ... <?php phpinfo;?> ... since LDAP is supposed to be pretty dang ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ...
    (php.general)
  • Ubuntu in complex office situations
    ... A local debt collection company wanted to dump their Windows boxes, ... LDAP to handle authentication. ... requires a "three-strikes" login protocol. ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ...
    (Ubuntu)