5

I've set up linux client authentication via ldap, it works. I want to control user's access to several services by adding or removing different OUs for accounts. E.g., if user is allowed to login linux machines, it's ou must contain "linux". If this user is allowed to access, say, redmine, it's ou must contain "redmine" also.

The problem is, pam_filter parameter in /etc/ldap.conf is ignored. When I set it

pam_filter ou=linux

the search string that comes to ldap server does not contain this filter:

openldap slapd[5374]: conn=1857 op=1 SRCH base="ou=people,dc=rwth-cbmb,dc=de" scope=2 deref=0 filter="(objectClass=posixAccount)"

As I've said, I've been using it with redmine (tickets tracking system) where I set ldap filter too and it works. I get the following search requests on the server:

openldap slapd[5374]: conn=1863 op=1 SRCH base="ou=people,dc=rwth-cbmb,dc=de" scope=2 deref=0 filter="(&(objectClass=*)(uid=alex)(ou=redmine))"

I have the following packages versions:

ldap-auth-client 0.5.3

ldap-auth-config 0.5.3

ldap-utils 2.4.28-1.1ubuntu4.2

libldap-2.4-2 2.4.28-1.1ubuntu4.2

libnss-ldap 264-2.2ubuntu2

libpam-ldap 184-8.5ubuntu2

Client ubuntu 12.04, server ubuntu server 10.04.

Alexander
  • 163
  • 1
  • 6
  • This first openldap log haven't contains the user too (just objectclass). Why? – Reinaldo Gil Nov 16 '12 at 13:08
  • Because I just ran "getent passwd"... I've solved the problem already. I'll write an ansrer in a minute. Now I'm trying to get memberOf overlay to work (switched to server 12.04...) withoud success :) – Alexander Nov 16 '12 at 15:09

2 Answers2

1

Ok, the solution was to use 

nss_base_passwd ou=people,dc=rwth-cbmb,dc=de??ou=linux

in /etc/ldap.conf on the client. According to documentation:

Syntax:

nss_base_XXX base?scope?filter

I don't know why pam_filter doesn't work, but nss_* solves the problem.

Alexander
  • 163
  • 1
  • 6
1

Add the following line to the /etc/pam_ldap.conf file

pam_check_host_attr yes

From the pam_ldap man page:

pam_check_host_attr

Specifies whether the "host" attribute should be checked for logon authorization ("account" in the PAM stack). The default is not to. If set to "yes" and a user has no value for the "host" attribute, then the user will be unable to login.

uSlackr
  • 6,412
  • 21
  • 37
Savitoj Singh
  • 11
  • 1
  • OP has already supplied the solution in his case. – BE77Y Mar 11 '15 at 17:45
  • 1
    @BE77Y That's true but there are 3 methods to do the same thing, I have mentioned one and second is what has defined and third is to use pam_filer in pam_ldap. It depends what is more closely matchs requirements. – Savitoj Singh Mar 12 '15 at 20:09
  • OP's answer is a workaround; this one seems to actually address the problem –  Jan 20 '17 at 16:42