RE: AllowGroups and ldap

From: Lars Weste (lweste_at_gmx.de)
Date: 02/03/05

  • Next message: peter.kielbasiewicz_at_philips.com: "Problem compiling openssh 3.9p1 on HP-UX 10.20" 
    Date: Thu, 3 Feb 2005 16:56:09 +0100 (MET)
To: "Tay, Gary" <Gary_Tay@platts.com>

    Hi Gary,
         
    thanks for your answer, and sorry if i faild to describe the situation
    satisfactory.
       
    i have two suse9.1 connected as clients to the ldap server.
       
    i can successfull ssh from one client to the other.
    my username, primary and supplementary group are out of the ldap server.
    nothing of my identity is stored locally despite my ssh key. so i can log
    in with admin as my supplementary group.
       
    id
    uid=1010(lars) gid=1006(weird) groups=1006(weird),1011(admin)
       
    the following are the configuration files at both suse 9.1:
    suse9.1 sshd_config:==========================================
    Port 22
    Protocol 2
    PermitRootLogin no
    StrictModes yes
    RhostsRSAAuthentication no
    HostbasedAuthentication no
    IgnoreRhosts yes
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    UsePAM no
    X11Forwarding yes
    Subsystem sftp /usr/lib/ssh/sftp-server
    AllowGroups admin
       
    suse9.1 ldap.conf:===================================
    host server.intern
    base dc=intern
    ldap_version 3
    pam_password md5
    nss_map_attribute uniqueMember member
    ssl start_tls
    nss_map_attribute uniqueMember member
    pam_filter objectclass=posixAccount
    nss_base_passwd dc=intern
    nss_base_shadow dc=intern
    nss_base_group dc=intern
       
    suse9.1 nsswitch.conf:=============================
    passwd: compat
    group: compat
    hosts: files dns
    networks: files dns
    services: files
    protocols: files
    rpc: files
    ethers: files
    netmasks: files
    netgroup: files
    publickey: files
    bootparams: files
    automount: files nis
    aliases: files
    passwd_compat: ldap
    group_compat: ldap
       
    ===================================================
    ===================================================
    ldap server sshd_config:===========================
    Port 22
    Protocol 2
    PermitRootLogin no
    StrictModes yes
    RhostsRSAAuthentication no
    HostbasedAuthentication no
    IgnoreRhosts yes
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    UsePAM no
    X11Forwarding yes
    Subsystem sftp /usr/lib/ssh/sftp-server
    AllowGroups admin
      
    ldap servers ldap.conf:================================
    host server.intern
    base dc=intern
    ldap_version 3
    pam_password md5
    nss_map_attribute uniqueMember member
    ssl start_tls
    nss_map_attribute uniqueMember member
    pam_filter objectclass=posixAccount
    nss_base_passwd dc=intern
    nss_base_shadow dc=intern
    nss_base_group dc=intern
     
    ldap servers nsswitch.conf:=========================
    passwd: compat
    group: compat
    hosts: files dns
    networks: files dns
    services: files
    protocols: files
    rpc: files
    ethers: files
    netmasks: files
    netgroup: files
    publickey: files
    bootparams: files
    automount: files nis
    aliases: files
    passwd_compat: ldap
    group_compat: ldap
     
     
    so i can successfully log into the ldap server with this config if i
    change the admin group to my primary group and the weird group as the
    supplementary one. but in the situation which i want, the admin group as a
    supplementary group, it dosn't let me in.
     
    as both configurations are nearly the same so i'm wondering what could be
    the problem?
     
    as you suggested, i changed the ip and the localhost in the ldap.conf
    files to server.intern, but without any change. if i remove the ldap
    compat lines at the servers nsswitch.conf file, i won't be able to log in
    with an ldap account i think?
    so it seems that there are any other parts of the system causing the
    problem.
     
    thanks for your patience. hopefully it is now clearer why i'm totally
    clueless at this point.(: any suggestions?
     
    regards
    lars
       
       
        

    -- 
Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS
GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail
  • Next message: peter.kielbasiewicz_at_philips.com: "Problem compiling openssh 3.9p1 on HP-UX 10.20"

    Relevant Pages

    • Re: LDAP (was Re: Digital)
      ... or a related LDAP server. ... Doesn't LDAP have the ability to send customized data to the clients? ... I don't know what the particular timing was, but some time back before 2000, Microsoft realized their then-existing domain controller authentication implementation didn't scale and they were then pushing hard toward their Active Directory implementation. ... The OpenVMS external authentication integrates OpenVMS with Active Directory; it was very late to the LDAP party. ...
      (comp.os.vms)
    • Re: LDAP (was Re: Digital)
      ... or a related LDAP server. ... Doesn't LDAP have the ability to send customized data to the clients? ... I don't know what the particular timing was, but some time back before 2000, Microsoft realized their then-existing domain controller authentication implementation didn't scale and they were then pushing hard toward their Active Directory implementation. ... The OpenVMS external authentication integrates OpenVMS with Active Directory; it was very late to the LDAP party. ...
      (comp.os.vms)
    • LDAP
      ... what is ldap ... mysql with ldap authentication ... linux ldap server ... how to integrate ldap with windows ...
      (de.org.mensa)
    • Re: OpenLDAP + User Authentication
      ... and you cant really import the passwords from the other ldap server into yours. ... now what you will want to do is set up one ldap server as the masterm and the other as the replica. ... Subject: OpenLDAP + User Authentication ... is not the intended recipient or the employee or agent responsible to ...
      (RedHat)
    • RE: AllowGroups and ldap
      ... You did not mention which conf file is for LDAP Server, ... Again I am not sure if AllowGroups in sshd_config could recognize LDAP ... The nsswitch.conf for the LDAP server and client should not be the same. ... AllowGroups admin ...
      (SSH)