LDAP completely ignores pam_groupdn and pam_filter attribute in ldap.conf

Question

OS: Ubuntu 17.10

I currently installed ldap on an Ubuntu to access a ldap server. I configured nls, pam and ldap like in many tutorials proposed. So it worked but now any ldap user can login to the system. Therefore I wanted to limit the access to the system with the attribute

    pam_groupdn 

or

    pam_filter

in /etc/ldap.conf (Remark a pam_ldap.conf is not exisiting on the system and it also no helps to create on)

When I do for example

    ldapsearch -x -H ldaps://ldap.domain.local:636 -b "cn=users,dc=ldap,dc=mydomain,dc=local" uid="someuser"

I get in this example the results

    memberOf:  cn=users,cn=groups,cd=ldap,dc=domain,dc=local
    memberOf:  cn=lindev,cn=groups,cd=ldap,dc=domain,dc=local

Therfore my filter should contain the cn's users and lindev for accessing the system. First I tried to set a filter in /etc/ldap.conf like this

    pam_filter &((member=cn=lindev,dc=ldap,dc=domain,dc=local)(member=cn=lindev,dc=ldap,dc=domain,dc=local))

I now switched to debug mode of nslcd

    sudo service nslcd stop
    sudo nslcd -d

to control the output. Unfortunately not once the defined filter is used. It just takes the value of the binddn (also configured in /etc/ldap.conf and in /etc/nslcd.conf)

    binddn cn=users,dc=ldap,dc=domain,dc=local

In fact the uid of the user is pasted in in the output of nslcd and then made a compare but the filter was never applied. It seemd to be that these pam_xyz attributes of /etc/ldap.conf are completely ignored. I also googled several solutions that talk of modifying files in /etc/pam.d especially the file common-account, which looks here:

   account [success=1 new_authtok_reqd=done default=ignore]   pam_unix.so
   account requisite                                          pam_deny.so
   account required                                           pam_permit.so
   account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]       pam_ldap.so minimum_uid=1000

There were many hints on the Internet to adapt this files and also the files common-account,common-auth,common-password and common-session. I tried out quite all hints but the problem remains. There is no filter applied at all in the queries that the client makes on the server.

My question is therefore where I can activate this attributes in /etc/ldap.conf?

Answer 1

I gave it up to consider the pam_filter and pam_groupdn attribute in /etc/ldap.conf. There are two options available in /etc/nslcd.conf that does the same thing (according to https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5)

1. pam_authc_search
2. pam_authz_search

After the documentation authz is a little bit more complex than authc. For my purposes it was sufficient to take the variant authc.

My approach was first to generate a valid search filter with ldapsearch:

    ldapsearch -x -H ldaps://ldap.domain.local -b "dc=ldap,dc=domain,dc=local" "(&(memberUid=loginName)(|(cn=sudogroup)(cn=lindev)))"

The filter checks that the user belongs really to the groups sudogroup and lindev.

Now I was ready to paste the things to /etc/nslcd.conf:

    pam_authc_search (&(memberUid=$username)(|(cn=sudogroup)(cn=lindev)))

Goal reached: I can now login with only members of sudogroup and Linux Development Group (lindev).