I have a given LDAP-Server I want to use for User Authentication on my Red Hat Enterprise Linux 5.8 Server. I got the connection to the LDAP-Server working and I'm able to Login to the Linux Server by LDAP User "username".
Now I want that only users from one LDAP group can Login to my RHEL Server. I tried to do this by configuring the following in /etc/ldap.conf:
pam_groupdn cn=RW,ou=ApplRoles,ou=App,ou=Applications,dc=sbb,dc=CH
pam_member_attribute AppRoles
When I try to login after configuring this I get the following message:
"You must be a AppRoles of cn=RW,ou=ApplRoles,ou=App,ou=Applications,dc=sbb,dc=CH".
But when I browse through the LDAP-Server, I see that the User is part of this Group:
# ldapsearch -h ldapi.company.ch -D cn=binduser,ou=Administrators,dc=company,dc=CH -w bindpw -b dc=company,dc=ch -x "(cn=username)" AppRoles
companyAppRoles: cn=RW,ou=ApplRoles,ou=App,ou=Applications,dc=company,dc=CH
The Requests and Answer look like this in Wireshark (dumped by tcpdump on the Linux-Server):
Request (From Wireshark Dump):
LDAPMessage compareRequest(5) "cn=RW,ou=ApplRoles,ou=App,ou=Applications,dc=company,dc=CH"
messageID: 5
protocolOp: compareRequest (14)
compareRequest
entry: cn=RW,ou=ApplRoles,ou=App,ou=Applications,dc=company,dc=CH
ava
attributeDesc: AppRoles
assertionValue: cn=username,ou=OU,dc=company,dc=CH
Answer (From Wireshark Dump):
LDAPMessage compareResponse(5) noSuchObject ([DSA]:No such object:cn=RW,ou=ApplRoles,ou=App,ou=Applications,dc=company,dc=CH)
messageID: 5
protocolOp: compareResponse (15)
compareResponse
resultCode: noSuchObject (32)
matchedDN: ou=Applications,dc=company,dc=CH
errorMessage: [DSA]:No such object:cn=RW,ou=ApplRoles,ou=App,ou=Applications,dc=company,dc=CH
So the LDAP admin said, I should try to change the "assertionValue" to "cn=username" only.
Has anyone an Idea how to change this value? Or are there other options to restrict the access to my server to the users of an LDAP group?
