thr3ads.net - freebsd security - [Resolved] Found a way of allowing pam_ldap users (with pam_groupdn or pam_check_host_attr restrictions), AND allowing local root authentication, without pam_unix.so taking presense due to getpwent() returns ldap-users [Sep 2007]

If this information is useful, please help other people find it:
Share via:

Daniel Bond

2007-Sep-06 07:25 UTC

[Resolved] Found a way of allowing pam_ldap users (with pam_groupdn or pam_check_host_attr restrictions), AND allowing local root authentication, without pam_unix.so taking presense due to getpwent() returns ldap-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I've been trying to get LDAP ssh authentication to work for a while, and
I found a bug (http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/116150) in
pam_unix.so, that breaks support for ldap-group/host-restrictions the
ldap-way.

I saw numerous emails about pam_groupdn-ldap-restrictions on the
mailinglists dating back to 2001, but no resolution for how to get it
playing, so this is a working fix, until pam_unix.so and pam_ldap.so
plays well together:




The recommended setup, UNIX and LDAP logins work, but
groupdn/check_host_attr restrictions dosn't:

account         sufficient /usr/local/lib/pam_ldap.so
account         required        pam_login_access.so
account         required        pam_unix.so local_pass


You want only LDAP users, and no local root-account, this works:

account         sufficient /usr/local/lib/pam_ldap.so
account         required        pam_login_access.so
account         required        pam_deny.so


This is what I ended up as a quickfix, until pam_unix.so is playing
right again:

# account
account         sufficient /usr/local/lib/pam_ldap.so
account         required        pam_login_access.so
account         required        /usr/local/lib/pam_require.so root
account         required        pam_unix.so local_pass


This basicly restricts local accounts to the root-account, and honours
ldap-pam-restrictions, that a user should explicitly have access to the
machine. So one can still login with root-account if ldap-server(s) for
some reason isn't authenticating properly.


Hope this can be helpful to other users struggling with ldap-group/host
restrictions, and don't have to spend as much time as I did debuging it.

Regards,


Daniel Bond,
NSN ASA.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG4Ad0UR3pKhqN0EoRAheaAKCd7GRLVDzaa9NYkHY2+u5kNScV8gCeN21T
r8XHQNqJgB0tYIuZUTIrIf8=ChTy
-----END PGP SIGNATURE-----

Maybe Matching Threads

Search for more maybe matching threads

freebsd security - Sep 2007 - [Resolved] Found a way of allowing pam_ldap users (with pam_groupdn or pam_check_host_attr restrictions), AND allowing local root authentication, without pam_unix.so taking presense due to getpwent() returns ldap-users

[Resolved] Found a way of allowing pam_ldap users (with pam_groupdn or pam_check_host_attr restrictions), AND allowing local root authentication, without pam_unix.so taking presense due to getpwent() returns ldap-users

Maybe Matching Threads

Wisdom of the Ancients