RE: AllowGroups and ldap

From: Tay, Gary (Gary_Tay_at_platts.com)
Date: 02/04/05

  • Next message: Antony Gelberg: "Using existing keys"
    Date: Fri, 4 Feb 2005 10:26:00 +0800
    To: "Lars Weste" <lweste@gmx.de>
    
    

    Lars,
     
    I assume your OpenSSH Server is compiled or packaged with "--with-pam". You may check it via "ldd /path/to/sshd" (this is usually the norm for packaged RPMs)
     
    You HAVE to (and you HAVEN'T) use "UsePAM yes" for SSH Server at LDAP Client end, i.e. use PAM (Pluggable Authentication Module) to activate LDAP uid lookup via PAM_LDAP (/etc/ldap.conf and /etc/pam.d/sshd or /etc/pam.d/system-auth) and NSS_LDAP (/etc/nsswitch.conf). This is the norm unless Suse is different from other Linux distros and does not do this.
     
    The /etc/nsswitch.conf at LDAP Server end should not reference "ldap" again, this is looping (LDAP Server looks up LDAP accts?!)
     
    Since you use uniqueMember as group membership attributes (the other option is memberUid), there should be groups data in LDAP in this format using "groupOfUniqueNames" objectclass.
     
    dn: cn=testgrp1,ou=group,dc=platts,dc=mhm,dc=mhc
    objectClass: top
    objectClass: groupOfUniqueNames
    cn: testgrp1
    description: Test Group1
    uniqueMember: uid=testusr1,ou=People,dc=example,dc=com
    uniqueMember: uid=testusr2,ou=People,dc=example,dc=com

    Rgds
    Gary

            -----Original Message-----
            From: Lars Weste [mailto:lweste@gmx.de]
            Sent: Thu 2/3/2005 11:56 PM
            To: Tay, Gary
            Cc: secureshell@securityfocus.com
            Subject: RE: AllowGroups and ldap
            
            

            Hi Gary,
                
            thanks for your answer, and sorry if i faild to describe the situation
            satisfactory.
              
            i have two suse9.1 connected as clients to the ldap server.
              
            i can successfull ssh from one client to the other.
            my username, primary and supplementary group are out of the ldap server.
            nothing of my identity is stored locally despite my ssh key. so i can log
            in with admin as my supplementary group.
              
            id
            uid=1010(lars) gid=1006(weird) groups=1006(weird),1011(admin)
              
            the following are the configuration files at both suse 9.1:
            suse9.1 sshd_config:==========================================
            Port 22
            Protocol 2
            PermitRootLogin no
            StrictModes yes
            RhostsRSAAuthentication no
            HostbasedAuthentication no
            IgnoreRhosts yes
            PasswordAuthentication no
            ChallengeResponseAuthentication no
            UsePAM no
            X11Forwarding yes
            Subsystem sftp /usr/lib/ssh/sftp-server
            AllowGroups admin
              
            suse9.1 ldap.conf:===================================
            host server.intern
            base dc=intern
            ldap_version 3
            pam_password md5
            nss_map_attribute uniqueMember member
            ssl start_tls
            nss_map_attribute uniqueMember member
            pam_filter objectclass=posixAccount
            nss_base_passwd dc=intern
            nss_base_shadow dc=intern
            nss_base_group dc=intern
              
            suse9.1 nsswitch.conf:=============================
            passwd: compat
            group: compat
            hosts: files dns
            networks: files dns
            services: files
            protocols: files
            rpc: files
            ethers: files
            netmasks: files
            netgroup: files
            publickey: files
            bootparams: files
            automount: files nis
            aliases: files
            passwd_compat: ldap
            group_compat: ldap
              
            ===================================================
            ===================================================
            ldap server sshd_config:===========================
            Port 22
            Protocol 2
            PermitRootLogin no
            StrictModes yes
            RhostsRSAAuthentication no
            HostbasedAuthentication no
            IgnoreRhosts yes
            PasswordAuthentication no
            ChallengeResponseAuthentication no
            UsePAM no
            X11Forwarding yes
            Subsystem sftp /usr/lib/ssh/sftp-server
            AllowGroups admin
             
            ldap servers ldap.conf:================================
            host server.intern
            base dc=intern
            ldap_version 3
            pam_password md5
            nss_map_attribute uniqueMember member
            ssl start_tls
            nss_map_attribute uniqueMember member
            pam_filter objectclass=posixAccount
            nss_base_passwd dc=intern
            nss_base_shadow dc=intern
            nss_base_group dc=intern
            
            ldap servers nsswitch.conf:=========================
            passwd: compat
            group: compat
            hosts: files dns
            networks: files dns
            services: files
            protocols: files
            rpc: files
            ethers: files
            netmasks: files
            netgroup: files
            publickey: files
            bootparams: files
            automount: files nis
            aliases: files
            passwd_compat: ldap
            group_compat: ldap
            
            
            so i can successfully log into the ldap server with this config if i
            change the admin group to my primary group and the weird group as the
            supplementary one. but in the situation which i want, the admin group as a
            supplementary group, it dosn't let me in.
            
            as both configurations are nearly the same so i'm wondering what could be
            the problem?
            
            as you suggested, i changed the ip and the localhost in the ldap.conf
            files to server.intern, but without any change. if i remove the ldap
            compat lines at the servers nsswitch.conf file, i won't be able to log in
            with an ldap account i think?
            so it seems that there are any other parts of the system causing the
            problem.
            
            thanks for your patience. hopefully it is now clearer why i'm totally
            clueless at this point.(: any suggestions?
            
            regards
            lars
              
              
              
            
            --
            Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS
            GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail
            


  • Next message: Antony Gelberg: "Using existing keys"

    Relevant Pages

    • Re: LDAP (was Re: Digital)
      ... or a related LDAP server. ... Doesn't LDAP have the ability to send customized data to the clients? ... I don't know what the particular timing was, but some time back before 2000, Microsoft realized their then-existing domain controller authentication implementation didn't scale and they were then pushing hard toward their Active Directory implementation. ... The OpenVMS external authentication integrates OpenVMS with Active Directory; it was very late to the LDAP party. ...
      (comp.os.vms)
    • Re: LDAP (was Re: Digital)
      ... or a related LDAP server. ... Doesn't LDAP have the ability to send customized data to the clients? ... I don't know what the particular timing was, but some time back before 2000, Microsoft realized their then-existing domain controller authentication implementation didn't scale and they were then pushing hard toward their Active Directory implementation. ... The OpenVMS external authentication integrates OpenVMS with Active Directory; it was very late to the LDAP party. ...
      (comp.os.vms)
    • LDAP
      ... what is ldap ... mysql with ldap authentication ... linux ldap server ... how to integrate ldap with windows ...
      (de.org.mensa)
    • Re: OpenLDAP + User Authentication
      ... and you cant really import the passwords from the other ldap server into yours. ... now what you will want to do is set up one ldap server as the masterm and the other as the replica. ... Subject: OpenLDAP + User Authentication ... is not the intended recipient or the employee or agent responsible to ...
      (RedHat)
    • Re: freebsd6 authenticating against openldap 2.4?
      ... machines to get LDAP authentication working. ... Every box was configured differently and ports trees had ... able to run shell accounts on different boxes on a per-user basis, ... LDAP server as user ldap, the system tries to consult all the sources ...
      (freebsd-questions)