RE: AllowGroups and ldap
From: Tay, Gary (Gary_Tay_at_platts.com)
Date: 02/04/05
- Previous message: peter.kielbasiewicz_at_philips.com: "Problem compiling openssh 3.9p1 on HP-UX 10.20"
- Maybe in reply to: Tay, Gary: "RE: AllowGroups and ldap"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 4 Feb 2005 10:26:00 +0800 To: "Lars Weste" <lweste@gmx.de>
Lars,
I assume your OpenSSH Server is compiled or packaged with "--with-pam". You may check it via "ldd /path/to/sshd" (this is usually the norm for packaged RPMs)
You HAVE to (and you HAVEN'T) use "UsePAM yes" for SSH Server at LDAP Client end, i.e. use PAM (Pluggable Authentication Module) to activate LDAP uid lookup via PAM_LDAP (/etc/ldap.conf and /etc/pam.d/sshd or /etc/pam.d/system-auth) and NSS_LDAP (/etc/nsswitch.conf). This is the norm unless Suse is different from other Linux distros and does not do this.
The /etc/nsswitch.conf at LDAP Server end should not reference "ldap" again, this is looping (LDAP Server looks up LDAP accts?!)
Since you use uniqueMember as group membership attributes (the other option is memberUid), there should be groups data in LDAP in this format using "groupOfUniqueNames" objectclass.
dn: cn=testgrp1,ou=group,dc=platts,dc=mhm,dc=mhc
objectClass: top
objectClass: groupOfUniqueNames
cn: testgrp1
description: Test Group1
uniqueMember: uid=testusr1,ou=People,dc=example,dc=com
uniqueMember: uid=testusr2,ou=People,dc=example,dc=com
Rgds
Gary
-----Original Message-----
From: Lars Weste [mailto:lweste@gmx.de]
Sent: Thu 2/3/2005 11:56 PM
To: Tay, Gary
Cc: secureshell@securityfocus.com
Subject: RE: AllowGroups and ldap
Hi Gary,
thanks for your answer, and sorry if i faild to describe the situation
satisfactory.
i have two suse9.1 connected as clients to the ldap server.
i can successfull ssh from one client to the other.
my username, primary and supplementary group are out of the ldap server.
nothing of my identity is stored locally despite my ssh key. so i can log
in with admin as my supplementary group.
id
uid=1010(lars) gid=1006(weird) groups=1006(weird),1011(admin)
the following are the configuration files at both suse 9.1:
suse9.1 sshd_config:==========================================
Port 22
Protocol 2
PermitRootLogin no
StrictModes yes
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
X11Forwarding yes
Subsystem sftp /usr/lib/ssh/sftp-server
AllowGroups admin
suse9.1 ldap.conf:===================================
host server.intern
base dc=intern
ldap_version 3
pam_password md5
nss_map_attribute uniqueMember member
ssl start_tls
nss_map_attribute uniqueMember member
pam_filter objectclass=posixAccount
nss_base_passwd dc=intern
nss_base_shadow dc=intern
nss_base_group dc=intern
suse9.1 nsswitch.conf:=============================
passwd: compat
group: compat
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
passwd_compat: ldap
group_compat: ldap
===================================================
===================================================
ldap server sshd_config:===========================
Port 22
Protocol 2
PermitRootLogin no
StrictModes yes
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
X11Forwarding yes
Subsystem sftp /usr/lib/ssh/sftp-server
AllowGroups admin
ldap servers ldap.conf:================================
host server.intern
base dc=intern
ldap_version 3
pam_password md5
nss_map_attribute uniqueMember member
ssl start_tls
nss_map_attribute uniqueMember member
pam_filter objectclass=posixAccount
nss_base_passwd dc=intern
nss_base_shadow dc=intern
nss_base_group dc=intern
ldap servers nsswitch.conf:=========================
passwd: compat
group: compat
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
passwd_compat: ldap
group_compat: ldap
so i can successfully log into the ldap server with this config if i
change the admin group to my primary group and the weird group as the
supplementary one. but in the situation which i want, the admin group as a
supplementary group, it dosn't let me in.
as both configurations are nearly the same so i'm wondering what could be
the problem?
as you suggested, i changed the ip and the localhost in the ldap.conf
files to server.intern, but without any change. if i remove the ldap
compat lines at the servers nsswitch.conf file, i won't be able to log in
with an ldap account i think?
so it seems that there are any other parts of the system causing the
problem.
thanks for your patience. hopefully it is now clearer why i'm totally
clueless at this point.(: any suggestions?
regards
lars
--
Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS
GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail
- Previous message: peter.kielbasiewicz_at_philips.com: "Problem compiling openssh 3.9p1 on HP-UX 10.20"
- Maybe in reply to: Tay, Gary: "RE: AllowGroups and ldap"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
