0

I'm attempting to setup authentication via ldap for OpenSSH connections on our FreeBSD servers in AWS. The actual ldap server is external to AWS and is accessed over the Internet.

I've run into a problem with limiting access to the servers. When using pam_ldap and nss_ldap with OpenLDAP client (PADL versions), everything works fine using the appropriate filter. However, it was taking several minutes to login. After doing some reading, I switch over to nslcd and it seemed to speed things up a lot, but I'm unable to get the filters working properly to limit access.

Also, I've noticed that users do not have all of their secondary group memberships present so I'm unable to workaround this with a different pam filter or the AllowGroups feature in the sshd config file.

The ldap server in question is a huge university wide installation so there are thousands of groups.

I've tried a filter similar to the following with no luck.

filter passwd (&(objectClass=posixAccount)(memberOf=CN=customgroup,ou=User Groups,OU=groups,DC=thedomainoftheuniversity,DC=edu))

Any suggestions on what could be wrong with this filter or ideas on how to get all the group memberships to show up so I can use another approach?

Update: I learned that the memberOf attribute is not part of the schema and that the LDAP server is eDirectory. I need to find a way to filter from the groups over the users. The groups do implement posixGroup and have member attributes populated.

Lucas Holt
  • 113
  • 2
  • 9
  • Does the LDAP server limit the number of response entries? By default OpenLDAP will limit to 500. This could be the issue with secondary groups. – 84104 Mar 03 '17 at 23:19
  • I figured out that the schema isn't including memberOf on the user so I need to find a way to filter based on the groups (the other direction). The server is edirectory apparently. – Lucas Holt Mar 06 '17 at 16:28
  • sshd_config's AllowGroups already filters based on groups and not memberOf. – 84104 Mar 06 '17 at 18:13
  • True, but the groups aren't populated properly because of the memberOf! As in if I do an id on a username, it's not showing group memberships. – Lucas Holt Mar 07 '17 at 21:17
  • You're not understanding. `nslcd` does not use `memberOf` for groups. By default it uses `posixGroup` and `memberUid`, the default RFC 2307 attributes. What is your `/etc/nslcd.conf`? – 84104 Mar 08 '17 at 00:12

2 Answers2

0

If eDirectory is your underlying directory service a couple of comments. PosixAccount is not a default object class. Is your Uni that is hosting the directory service maintaining that object class on users?

While MemberOf is not per se an attribute in eDirectory that is a bit of a misnomer, since the attribute name on the User class is Member, and the LDAP server has an attribute map feature, where common attributes incoming in queries are remapped to the native attributes. So memberOf is usually aliased to member on LDAP queries. You would have to ask the directory admins if they disabled that or why.

geoffc
  • 2,165
  • 5
  • 25
  • 40
0

I've still been unable to get secondary groups to show up on users but limiting is now working. This configuration is limited by two groups and also filtering based on OU attributes on the user record. 

pam_authz_search (&(objectClass=posixGroup)(|(cn=wd40)(cn=dev specs))(member=$dn))

pagesize 1000
referrals off
filter passwd (&(objectClass=posixAccount)(uid=*)(|(ou=Dev Svcs & Strategic Solutions - Faculty and Staff)(ou=Campaign Planning & Services - Faculty and Staff)))
map     passwd  homeDirectory "/home/$uid"
map     passwd loginShell "/bin/tcsh"
map     passwd gidNumber "20"
filter group (&(objectClass=posixGroup)(|(gidNumber=2281499)(gidNumber=2219401))
Lucas Holt
  • 113
  • 2
  • 9