0

i have tried to install pam, ldap on fedora23. i have configured pam.d/system-auth as follows:

    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth required      pam_env.so
    auth sufficient    pam_unix.so nullok try_first_pass
    auth requisite     pam_succeed_if.so uid >= 100 quiet
    auth sufficient    pam_ldap.so use_first_pass
    auth required      pam_deny.so

    account     required      pam_unix.so broken_shadow
    account     sufficient    pam_localuser.so
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     sufficient    pam_ldap.so
    account     required      pam_permit.so

    password    requisite     pam_cracklib.so try_first_pass retry=3 type=
    password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
    password    sufficient    pam_ldap.so use_authtok
    password    required      pam_deny.so

    session     optional      pam_keyinit.so revoke
    session     required      pam_limits.so
    session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session     required      pam_unix.so
    session     optional      pam_ldap.so

and the ldap.conf as follows:

    BASE dc=aaa,dc=bbb,dc=ccc
    URI ldap://aaa.bbb.ccc/
    sudoers_base ou=SUDOers,dc=aaa,dc=bbb,dc=ccc
    pam_groupdn cn=serverFedora,ou=groups,dc=aaa,dc=bbb,dc=ccc

but all the users can log in whether they are in group or not. any idea about what i have missed?

Thanks in advanced

thanks for you answer i checked man and this option was not supported. i checked and found this options in /etc/nslcd.conf:

base group   ou=people,dc=aaa,dc=bbb,dc=ccc?one?memberOf=cn=fedoraserver,ou=groups,dc=aaa,dc=bbb,dc=ccc
base passwd  ou=people,dc=aaa,dc=bbb,dc=ccc
base shadow  ou=people,dc=aaa,dc=bbb,dc=ccc

and also in /etc/ldap.conf:

nss_base_group     cn=fedoraserver,ou=groups,dc=aaa,dc=bbb,dc=ccc
nss_base_passwd     ou=people,dc=aaa,dc=bbb,dc=ccc
nss_base_shadow     ou=people,dc=aaa,dc=bbb,dc=ccc

but still i have the same problem and all users can log in whether they are a member of fedoraserver or not. is there any idea about it?

Sven
  • 98,649
  • 14
  • 180
  • 226
rahele
  • 1
  • 2

1 Answers1

0

Not all pam_ldap modules support the same options, and the pam_groupdn option you're trying to use is from PADL's implementation of the module that most Linux distros are trying to move away from. It is not recommended to go back to the old PADL module as each process has to maintain its own separate state and connection to the LDAP server.

Check the manpage (man pam_ldap) and verify that this option is listed. If it's not present, you are using a different PAM module and you will need to consult the documentation for how to implement this group restriction using your current module.

(alternatively, take a look at pam_limits)

Andrew B
  • 32,588
  • 12
  • 93
  • 131