[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
pam_groupdn login restriction
- To: openldap-technical@openldap.org
- Subject: pam_groupdn login restriction
- From: Paul <pma5201@yahoo.com>
- Date: Sun, 1 Nov 2009 17:24:54 -0800 (PST)
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1257125094; bh=vuEtXslR/X+Hw/APalifVfbpceFxTrsWClA91uCDX5E=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=TAv0NsAoTOYJ2Xw85OJ7TGG7xqUKrZfCLq29QcUo9v8Qu5cjaFcWk8S2/oSl4Z0KDlrFxGIY0G+LTyiyRFrJBEFsufE38oyO1f/l26ZPJYa44A2FLgNomtNx9abIhrPK7Zz2vAl7LFww8x6nO9lN0qb7f0lnvmtzxsvtSsGq7Ak=
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=M481+UrYEUG7dEOSl91oQtEQhcneaUMcq24gUu0nfudZfiRdIYHKFyxVPJn5C2srFmV3kpiLcqaC62hGYjgcpyADVrda9jwzF2ieue04keE5Ji5RsJ9RZiV8pKn6Bpxk12B7x+Rm/HC6HPz8piiMPflvjWFMPCBH1MS63b0Hrtk=;
I'm currently trying to get group based login working with little success using pam_groupdn on CentOS. Currently, any existing LDAP user is allowed to login to the system, but it does throw the error: "You must be a member of cn=login,ou=Group,dc=mydomain,dc=com to login." I would like to deny logins for any ldap users unless they exist in the specified group (in this case, cn=login,ou=Group,dc=mydomain,dc=com). Can anyone tell me what I'm doing wrong or point me toward some documentation?
/etc/ldap.conf:
uri ldaps://ldap.mydomain.com
base dc=mydomain,dc=com
binddn cn=user,ou=People,dc=mydomain,dc=com
bindpw password
bind_policy soft
pam_password md5
pam_login_attribute userID
pam_groupdn cn=login,ou=Groups,dc=mydomain,dc=com
pam_member_attribute member
pam_lookup_policy yes
tls_checkpeer no
ssl on
LDAP login group:
dn: cn=login,ou=Group,dc=mydomain,dc=com
objectClass: top
objectClass: posixGroup
cn: login
description: login group
gidNumber: 100
memberUid: user1
memberUid: user2