search for: pam_check_host_attr

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I've been trying to get LDAP ssh authentication to work for a while, and I found a bug (http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/116150) in pam_unix.so, that breaks support for ldap-group/host-restrictions the ldap-way. I saw numerous emails about pam_groupdn-ldap-restrictions on the mailinglists dating back to 2001, but no resolution

...ored. Any ldap user, independent from the host attribute, still can login in. What could be the reason? (googling around did not lead me to a solution). The cache is already flushed. Here is my configuration: /etc/openldap/ldap.conf contains the line: ------------------------------------------ pam_check_host_attr yes /etc/sssd/sssd.conf: -------------------- [sssd] config_file_version = 2 services = nss, pam, autofs domains = default # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the or...

On 05/05/2015 03:02 AM, Ulrich Hiller wrote: > /etc/openldap/ldap.conf contains the line: > ------------------------------------------ > pam_check_host_attr yes /etc/openldap/ldap.conf is the configuration file for openldap clients. It is not used for system authentication or name service. > 'pam_check_host_attr yes' is in /etc/openldap/ldap.conf. /etc/ldap.conf > is a softlink to that file. Those two files have completely differ...

On 05/05/2015 06:47 PM, Gordon Messmer wrote: > On 05/05/2015 03:02 AM, Ulrich Hiller wrote: >> /etc/openldap/ldap.conf contains the line: >> ------------------------------------------ >> pam_check_host_attr yes > > /etc/openldap/ldap.conf is the configuration file for openldap clients. > It is not used for system authentication or name service. > >> 'pam_check_host_attr yes' is in /etc/openldap/ldap.conf. /etc/ldap.conf >> is a softlink to that file. > > T...

...hadowMax: 9999 Here's /etc/ldap.conf base dc=example,dc=com uri ldapi:///127.0.0.1 uri ldap://127.0.0.1 ldap_version 3 binddn cn=admin,dc=example,dc=com bindpw mysecret rootbinddn cn=admin,dc=example,dc=com scope sub bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_check_host_attr yes pam_member_attribute memberUid pam_password md5 nss_base_passwd ou=people,dc=example,dc=com?sub nss_base_passwd ou=computers,dc=example,dc=com?sub nss_base_group ou=groups,dc=example,dc=com?sub And the smbldap.conf: SID="S-1-5-21-158730468-2379596502-3695168017" sambaDomain="R...

...chine in > their ldap host attribute. > > My problem is, that this host attribute seems to be ignored. Any ldap > user, independent from the host attribute, still can login in. > > What could be the reason? (googling around did not lead me to a solution). > > Try to set 'pam_check_host_attr yes' in /etc/ldap.conf . --Regards Ashishkumar S. Yadav

...k apart from username and password check - otherwise i would not have been able to login. The question is why doesn't it perform these checks. Just to repete: My sssd.conf contains access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host I read something about "pam_check_host_attr" in /etc/ldap.conf But this does not help in my /etc/openldap/ldap.conf (already tested). Any idea is still welcome. With kind regards, ulrich On 05/12/2015 07:45 PM, Gordon Messmer wrote: > On 05/12/2015 06:25 AM, Ulrich Hiller wrote: >> >> i have set logging in sssd to 9...

Does anyone know if there is a fix for nscd segfaulting after a short period of time. Googling for it came up with one result that suggested deleting the files in /var/db/nscd , but that didn't help. Another result was about run away processes which is not the problem I'm having. They are x86_64 boxes. output from /var/log/messages Oct 9 12:56:38 lyra kernel: nscd[11660]: segfault at

I have implemented LDAP on CentOS successfully using Redhat's Directory Server and the great how-to on the CentOS wiki. Being new to LDAP, I have a question and maybe one of you guys can point me in the right direction: I have LDAP implemented on the network for logins to the workstation pcs. I also have an apache website that I now use LDAP for authentication. What I want, however, is

...ot; dos charset = UTF-8 unix charset = UTF-8 == ldap.conf == base dc=example,dc=com uri ldap://127.0.0.1 ldap_version 3 binddn cn=admin,dc=example,dc=com bindpw mysecret rootbinddn cn=admin,dc=example,dc=com scope sub bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_check_host_attr yes pam_member_attribute memberUid pam_password md5 nss_base_passwd ou=people,dc=example,dc=com?sub nss_base_passwd ou=computers,dc=example,dc=com?sub nss_base_group ou=groups,dc=example,dc=com?sub == slapd.conf == include /etc/openldap/schema/core.schema include /etc/openldap/schema/...

...tscape Directory Server) #pam_lookup_policy yes # Check the 'host' attribute for access control # Default is no; if set to yes, and user has no # value for the host attribute, and pam_ldap is # configured for account management (authorization) # then the user will not be allowed to login. #pam_check_host_attr yes # Group to enforce membership of #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com # Group member attribute #pam_member_attribute uniquemember # Specify a minium or maximum UID number allowed #pam_min_uid 0 #pam_max_uid 0 # Template login attribute, default template user # (can be overriden by v...

On 05/12/2015 06:25 AM, Ulrich Hiller wrote: > > i have set logging in sssd to 9: 7 might be good enough for what you want to find. I added this to domain/default section: access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host debug_level = 7 /var/log/sssd/sssd_default.log logged the following for one user which had no "host" attribute, and was

...[autofs] When i stop the sssd deamon, no login at all is possible. But when i start sssd, again login is successful, independendly from what i write into ldap_access_order and ldap_user_authorized_host (if i don't commit syntax errors). I also tried with ldap_access_filter and inserting "pam_check_host_attr yes" into ldap.conf. Still the same: When username and password are correct, the host atribute is ignored. Is there another config file i have to edit? With kind regards, ulrich On 05/05/2015 11:43 PM, Gordon Messmer wrote: > On 05/05/2015 11:14 AM, Ulrich Hiller wrote: >> On...

...cape Directory Server) # pam_lookup_policy yes # Check the 'host' attribute for access control # Default is no; if set to yes, and user has no # value for the host attribute, and pam_ldap is # configured for account management (authorization) # then the user will not be allowed to login. # pam_check_host_attr yes # Check the 'authorizedService' attribute for access # control # Default is no; if set to yes, and the user has no # value for the authorizedService attribute, and # pam_ldap is configured for account management # (authorization) then the user will not be allowed # to login. #pam_check...

...tscape Directory Server) #pam_lookup_policy yes # Check the 'host' attribute for access control # Default is no; if set to yes, and user has no # value for the host attribute, and pam_ldap is # configured for account management (authorization) # then the user will not be allowed to login. #pam_check_host_attr yes # Check the 'authorizedService' attribute for access # control # Default is no; if set to yes, and the user has no # value for the authorizedService attribute, and # pam_ldap is configured for account management # (authorization) then the user will not be allowed # to login. #pam_check...

...cape Directory Server) # pam_lookup_policy yes # Check the 'host' attribute for access control # Default is no; if set to yes, and user has no # value for the host attribute, and pam_ldap is # configured for account management (authorization) # then the user will not be allowed to login. # pam_check_host_attr yes # Check the 'authorizedService' attribute for access # control # Default is no; if set to yes, and the user has no # value for the authorizedService attribute, and # pam_ldap is configured for account management # (authorization) then the user will not be allowed # to login. #pam_check...

...tscape Directory Server) #pam_lookup_policy yes # Check the 'host' attribute for access control # Default is no; if set to yes, and user has no # value for the host attribute, and pam_ldap is # configured for account management (authorization) # then the user will not be allowed to login. #pam_check_host_attr yes # Check the 'authorizedService' attribute for access # control # Default is no; if set to yes, and the user has no # value for the authorizedService attribute, and # pam_ldap is configured for account management # (authorization) then the user will not be allowed # to login. #pam_check...