1

I have SSH/LDAP working just fine with public keys and all on an AWS Linux instance. I'm using nss-pam-ldapd and pam_ldap. But when I set /etc/pam_ldap.conf as follows to restrict login to a LDAP group:

pam_groupdn cn=Administrators,ou=groups,dc=domain,dc=com
pam_member_attribute memberUid

The LDAP user is then not allowed to log in. Local accounts can log in just fine and LDAP accounts can log in if the pam_groupdn line is commented out.

The only logged item is from sshd: Access denied by PAM account configuration.

Here are the pertinent lines from /etc/pam.d/system-auth

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

Does anyone have any insight into what is happening here?

JonathanDavidArndt
  • 1,424
  • 3
  • 20
  • 29
JohnA
  • 586
  • 3
  • 13
  • Just use 'AllowGroups' parameter in /etc/ssh/sshd_config. – Danila Ladner Mar 23 '18 at 00:00
  • Hi Danila. Thanks for that. I was pretty focused on the pam_ldap config. Commenting out pam_groupdn and setting AllowGroups in sshd_config did the trick. Behaviour is as expected and this has the advantage of being able to use multiple groups. – JohnA Mar 23 '18 at 15:01
  • One thing if you're reading this for a solution - ensure that in addition to the LDAP groups in AllowGroups, that you also include any local groups (such as wheel) for local accounts. I use local accounts for admins with proper sudo permissions in addition to LDAP accounts. This in case LDAP falls down. – JohnA Mar 23 '18 at 15:17
  • Yeah, if you want to use pam_ldap i would advise you to use pam_filter instead of pam_group_dn. What does your /etc/pam.d/system-auth look like? – Danila Ladner Mar 23 '18 at 15:36
  • The account excerpts are included above. I tried a number of variations with pam_ldap.so - to no avail. I think I like the ssh AllowGroups approach though. It's reasonably scalable, well documented and easy to troubleshoot. So far, nothing about LDAP has been simple, but once it works - it's great. – JohnA Mar 23 '18 at 15:47

0 Answers0