0

Upgrading from Centos6 where we were using ldap.conf entry "pam_check_host_attr=yes" previously, with wildcard host attribute in ldap where the host attribute looked like host=*.group.company.com providing access to all servers with the domain name group.company.com regardless of hostname.

Trying to replicate this feature in nss-pam-ldap in centos7, and after several permutations of the below still not working (based on http://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5 and looking at the code where $domain is not a valid variable, but $dn might be):

pam_authz_search (&(objectClass=posixAccount)(uid=$username)(host=\\*.$dn))

Any debug tips or examples if someone has figured this out?

Error during login:  LDAP authorisation check failed
chicks
  • 3,793
  • 10
  • 27
  • 36
dhartford
  • 313
  • 2
  • 12
  • notes to date: Need to restart box when changing nslcd.conf, no specific service to restart as it is used by libraries. No extra spaces in the searchstring. ldapsearch -x "(&(objectClass=posixAccount)(uid=myname)(host=\\*.group.company.com))" returns expected values. hostname -d returns not known, but resolv.conf has entry 'search group.company.com'. – dhartford Jun 26 '15 at 14:12
  • modified hosts file so hostname -d returns 'group.comany.com'. But still not functional. – dhartford Jun 26 '15 at 14:45

0 Answers0