RE: AllowGroups and ldap

From: Lars Weste (lweste_at_gmx.de)
Date: 02/03/05

  • Next message: peter.kielbasiewicz_at_philips.com: "Problem compiling openssh 3.9p1 on HP-UX 10.20"
    Date: Thu, 3 Feb 2005 16:56:09 +0100 (MET)
    To: "Tay, Gary" <Gary_Tay@platts.com>
    
    

    Hi Gary,
         
    thanks for your answer, and sorry if i faild to describe the situation
    satisfactory.
       
    i have two suse9.1 connected as clients to the ldap server.
       
    i can successfull ssh from one client to the other.
    my username, primary and supplementary group are out of the ldap server.
    nothing of my identity is stored locally despite my ssh key. so i can log
    in with admin as my supplementary group.
       
    id
    uid=1010(lars) gid=1006(weird) groups=1006(weird),1011(admin)
       
    the following are the configuration files at both suse 9.1:
    suse9.1 sshd_config:==========================================
    Port 22
    Protocol 2
    PermitRootLogin no
    StrictModes yes
    RhostsRSAAuthentication no
    HostbasedAuthentication no
    IgnoreRhosts yes
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    UsePAM no
    X11Forwarding yes
    Subsystem sftp /usr/lib/ssh/sftp-server
    AllowGroups admin
       
    suse9.1 ldap.conf:===================================
    host server.intern
    base dc=intern
    ldap_version 3
    pam_password md5
    nss_map_attribute uniqueMember member
    ssl start_tls
    nss_map_attribute uniqueMember member
    pam_filter objectclass=posixAccount
    nss_base_passwd dc=intern
    nss_base_shadow dc=intern
    nss_base_group dc=intern
       
    suse9.1 nsswitch.conf:=============================
    passwd: compat
    group: compat
    hosts: files dns
    networks: files dns
    services: files
    protocols: files
    rpc: files
    ethers: files
    netmasks: files
    netgroup: files
    publickey: files
    bootparams: files
    automount: files nis
    aliases: files
    passwd_compat: ldap
    group_compat: ldap
       
    ===================================================
    ===================================================
    ldap server sshd_config:===========================
    Port 22
    Protocol 2
    PermitRootLogin no
    StrictModes yes
    RhostsRSAAuthentication no
    HostbasedAuthentication no
    IgnoreRhosts yes
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    UsePAM no
    X11Forwarding yes
    Subsystem sftp /usr/lib/ssh/sftp-server
    AllowGroups admin
      
    ldap servers ldap.conf:================================
    host server.intern
    base dc=intern
    ldap_version 3
    pam_password md5
    nss_map_attribute uniqueMember member
    ssl start_tls
    nss_map_attribute uniqueMember member
    pam_filter objectclass=posixAccount
    nss_base_passwd dc=intern
    nss_base_shadow dc=intern
    nss_base_group dc=intern
     
    ldap servers nsswitch.conf:=========================
    passwd: compat
    group: compat
    hosts: files dns
    networks: files dns
    services: files
    protocols: files
    rpc: files
    ethers: files
    netmasks: files
    netgroup: files
    publickey: files
    bootparams: files
    automount: files nis
    aliases: files
    passwd_compat: ldap
    group_compat: ldap
     
     
    so i can successfully log into the ldap server with this config if i
    change the admin group to my primary group and the weird group as the
    supplementary one. but in the situation which i want, the admin group as a
    supplementary group, it dosn't let me in.
     
    as both configurations are nearly the same so i'm wondering what could be
    the problem?
     
    as you suggested, i changed the ip and the localhost in the ldap.conf
    files to server.intern, but without any change. if i remove the ldap
    compat lines at the servers nsswitch.conf file, i won't be able to log in
    with an ldap account i think?
    so it seems that there are any other parts of the system causing the
    problem.
     
    thanks for your patience. hopefully it is now clearer why i'm totally
    clueless at this point.(: any suggestions?
     
    regards
    lars
       
       
       

    -- 
    Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS
    GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail
    

  • Next message: peter.kielbasiewicz_at_philips.com: "Problem compiling openssh 3.9p1 on HP-UX 10.20"