[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: restrict host login based on group

To: Adam Hough <adam@gradientzero.com>
Subject: Re: restrict host login based on group
From: Shamika Joshi <shamika.joshi@gmail.com>
Date: Mon, 7 Dec 2009 18:26:57 +0530
Cc: Serge Fonville <serge.fonville@gmail.com>, Jarbas Peixoto Júnior <jarbas.junior@gmail.com>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=q+VgMKGYRVtof4ClY5gd9crncm1nDCn7gt6A573PN94=; b=eKpvQn/wJz4z5n9JWZl5ctar4GSatIeRkW1pStXorJpScYefgnPrB7MKfA0cqh1HSX gyk8jYUi8Q4Lg61FUAmM6M+XgUZXXh+DYo4kSl93elWaQurmwd3qjyJzjipcGooklmfY /THCgyxk02xHACcZrZ2ZIHzzL7ZJmzsd9Oq7M=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=lAggTMkWZTDaG6Le+Kv2E5m3EM0or79MgQyFADzKyXsvuVhTC7MzNgEOae0oGJjP/m aZK7YoQxysdwd4EkdwCkW6s5m+95x7CIoVU+zGYEy4aJn+oiLZSRyAn2QgH9RnRYnqzA J3rRHbDkZtqmUlWIqV8Zo8/5QFBZs9Jo2sdug=
In-reply-to: <30f711300912040007p44894a5ema803c9a46a7ae806@mail.gmail.com>
References: <680cbe0e0912030306ma6de99eh45be3181a9555ada@mail.gmail.com> <68b0c88f0912030548g27927b20sa55f5c277c30a074@mail.gmail.com> <1259857254.2878.4.camel@localhost> <30f711300912040007p44894a5ema803c9a46a7ae806@mail.gmail.com>

I've been fighting with this since long time now. Reading posts & archieves, having no luck beyond this point.......but now a bit desperate to get this done as I am running out of time now.
Any help in this matter is truly appreciated.
I attempted to use following ldap.conf settings, but still get auth failures upon doing ssh w/ ldap user.

host 172.16.135.43
base dc=test,dc=com
uri ldap://172.16.135.43
ldap_version 3
timelimit 120
bind_timelimit 120
idle_timelimit 3600
#pam_filter host=x15ubuntu
pam_filter host=*
pam_check_host_attr yes
pam_password crypt
bind_policy soft
nss_base_passwd ou=Users,dc=test,dc=com?one
nss_base_shadow ou=Users,dc=test,dc=com?one
nss_base_group          ou=Group,dc=test,dc=com?one
nss_base_hosts          ou=Hosts,dc=test,dc=com?one
nss_initgroups_ignoreusersavahi,avahiautoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid, list,lp,mail,man,messagebus,netdirector,news,postgres,proxy,pulse,root,saned,speech-dispatcher,sshd,sync,sys,syslog,uucp,www-data

nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files ldap dns

"getent" for the user "shamika returns correct information from LDAPserver

[root@x15f12 security]# getent passwd shamika
shamika:x:503:55:Shamika J:/home/shamika:/bin/bash
[root@x15f12 security]# getent shadow shamika
shamika:*:14568::::::
[root@x15f12 security]# getent group sysadmin
sysadmin:*:100:uid=ldap1,ou=Users,dc=test,dc=com,uid=ldap2,ou=Users,dc=test,dc=com,uid=shamika,ou=Users,dc=test,dc=com

No user can login even when I set pam_filter host=* , but if I comment out pam_fiilter it allows all ldap users to login via ssh.
Here is snapshot from /var/log/secure
Dec 7 18:12:26 x15f12 sshd[19642]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=shamika
Dec 7 18:12:28 x15f12 sshd[19642]: Failed password for shamika from ::1 port 54884 ssh2
Dec 7 18:12:29 x15f12 sshd[19643]: Connection closed by ::1

Here is my /pam.d/sshd file
#%PAM-1.0
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     sufficient    /lib/security/pam_ldap.so

password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so

Thanks
Shamika

=============================================================================================

2009/12/4 Shamika Joshi <shamika.joshi@gmail.com>

Hi all,
I'm stuck in the same issue as Serge Fonville.
I have created new Auxiliary objectclass 'testobj' with 'host' attribute & added it to the ou=Groups.Then created 2 entries under Groups as below & assigned members to those groups.

dn: cn=qagroup,ou=Groups,dc=test,dc=com
cn: qagroup
gidNumber: 4
objectClass: posixGroup
objectClass: testobj
host: x15f12.test.com

memberUid: uid=ldap1,ou=Users,dc=test,dc=com
memberUid: uid=ldap2,ou=Users,dc=test,dc=com

dn: cn=admin,ou=Groups,dc=test,dc=com
cn: admin
gidNumber: 0
objectClass: posixGroup
objectClass: testobj
host: x15ubuntu.test.com

memberUid: uid=ldap3,ou=Users,dc=test,dc=com
memberUid: uid=ldap4,ou=Users,dc=test,dc=com

Now which parameter in ldap.conf or any other files I host machine should I modify and how, so that members from qagroup or admin groups only get access to host mentioned in their respective attributes ??

Thanks in advance
Shamika

2009/12/3 Adam Hough <adam@gradientzero.com>

Or you can create your own Aux. object class that includes the host
attribute then you just have to modify the ldap.conf for the machine to
restrict user authentication.

- Adam

On Thu, 2009-12-03 at 10:48 -0300, Jarbas Peixoto Júnior wrote:
> If you are using ssh and pam can be done like this:
>
> # tail /etc/ssh/sshd_config
>
> # Allow client to pass locale environment variables
> AcceptEnv LANG LC_*
>
> Subsystem sftp /usr/lib/openssh/sftp-server
>
> UsePAM yes
>
> # Restringir acesso ao grupo local 'suporte' e a grupos LDAP
> AllowGroups suporte "SSH UDSL"
>
> where "SSH UDSL" is a Group in LDAP, and "suporte" is a local group.
>
> 2009/12/3 Serge Fonville <serge.fonville@gmail.com>:
> > Hi,
> >
> > While setting up an LDAP server. I noticed that it is not possible to
> > add a host attribute to a posixGroup.
> >
> > Is there a way to limit a user what host they can logon to based on
> > their group membership?
> >
> > Thanks in advance
> >
> > Regards,
> >
> > Serge Fonville
> >
> > --
> > http://www.sergefonville.nl
> >
> > Convince Google!!
> > They need to support Adsense over SSL
> > https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
> > http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en
> >

Follow-Ups:
- RE: restrict host login based on group
  - From: Joe Friedeggs <friedeggs44@hotmail.com>

References:
- restrict host login based on group
  - From: Serge Fonville <serge.fonville@gmail.com>
- Re: restrict host login based on group
  - From: Jarbas Peixoto Júnior <jarbas.junior@gmail.com>
- Re: restrict host login based on group
  - From: Adam Hough <adam@gradientzero.com>
- Re: restrict host login based on group
  - From: Shamika Joshi <shamika.joshi@gmail.com>

Prev by Date: Re: How To set things up to allow users to change their passwords
Next by Date: Re: gidNumber attribute inside group & member
Index(es):
- Chronological
- Thread