[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: restrict host login based on group

To: <shamika.joshi@gmail.com>, <adam@gradientzero.com>
Subject: RE: restrict host login based on group
From: Joe Friedeggs <friedeggs44@hotmail.com>
Date: Mon, 7 Dec 2009 09:42:35 -0600
Cc: serge.fonville@gmail.com, jarbas.junior@gmail.com, openldap-technical@openldap.org
Importance: Normal
In-reply-to: <30f711300912070456h35a95ad8y2974977fe35ffb74@mail.gmail.com>
References: <680cbe0e0912030306ma6de99eh45be3181a9555ada@mail.gmail.com>, <68b0c88f0912030548g27927b20sa55f5c277c30a074@mail.gmail.com>, <1259857254.2878.4.camel@localhost>, <30f711300912040007p44894a5ema803c9a46a7ae806@mail.gmail.com>, <30f711300912070456h35a95ad8y2974977fe35ffb74@mail.gmail.com>

Use pam_groupdn

pam_groupdn <groupdn>
Specifies the distinguished name of a group to which a user must belong for logon authorization to succeed.
For example:

pam_groupdn cn=accessGroupServer1,ou=host_ssh_access,dc=example,dc=net

I am not sure if you can specify multiple groups, you'll have to play with it.

Thanks,
Joe

________________________________
> Date: Mon, 7 Dec 2009 18:26:57 +0530
> Subject: Re: restrict host login based on group
> From: shamika.joshi@gmail.com
> To: adam@gradientzero.com
> CC: serge.fonville@gmail.com; jarbas.junior@gmail.com; openldap-technical@openldap.org
>
> I've been fighting with this since long time now. Reading posts &
> archieves, having no luck beyond this point.......but now a bit desperate to get this done as I am
> running out of time now.
>
> Any help in this matter is truly appreciated.
> I attempted to use following ldap.conf settings, but still get auth failures upon doing ssh w/ ldap user.
>
>
> host 172.16.135.43
> base dc=test,dc=com
> uri ldap://172.16.135.43
> ldap_version 3
>
> timelimit 120
> bind_timelimit 120
> idle_timelimit 3600
> #pam_filter host=x15ubuntu
> pam_filter host=*
>
> pam_check_host_attr yes
> pam_password crypt
> bind_policy soft
> nss_base_passwd ou=Users,dc=test,dc=com?one
> nss_base_shadow ou=Users,dc=test,dc=com?one
> nss_base_group ou=Group,dc=test,dc=com?one
>
> nss_base_hosts ou=Hosts,dc=test,dc=com?one
> nss_initgroups_ignoreusersavahi,avahiautoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid, list,lp,mail,man,messagebus,netdirector,news,postgres,proxy,pulse,root,saned,speech-dispatcher,sshd,sync,sys,syslog,uucp,www-data
>
>
>
> nsswitch.conf
>
> passwd: files ldap
> shadow: files ldap
>
> group: files ldap
> hosts: files ldap dns
>
> "getent" for the user "shamika returns correct information from LDAPserver
>
>
> [root@x15f12 security]# getent passwd shamika
> shamika:x:503:55:Shamika J:/home/shamika:/bin/bash
> [root@x15f12 security]# getent shadow shamika
> shamika:*:14568::::::
>
> [root@x15f12 security]# getent group sysadmin
> sysadmin:*:100:uid=ldap1,ou=Users,dc=test,dc=com,uid=ldap2,ou=Users,dc=test,dc=com,uid=shamika,ou=Users,dc=test,dc=com
>
> No user can login even when I set pam_filter host=* , but if I comment out pam_fiilter it allows all ldap users to login via ssh.
>
> Here is snapshot from /var/log/secure
> Dec 7 18:12:26 x15f12 sshd[19642]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=shamika
> Dec 7 18:12:28 x15f12 sshd[19642]: Failed password for shamika from ::1 port 54884 ssh2
>
> Dec 7 18:12:29 x15f12 sshd[19643]: Connection closed by ::1
>
> Here is my /pam.d/sshd file
> #%PAM-1.0
> auth sufficient /lib/security/pam_unix.so likeauth nullok
>
> auth sufficient /lib/security/pam_ldap.so use_first_pass
> auth required /lib/security/pam_deny.so
>
> account required /lib/security/pam_unix.so
> account sufficient /lib/security/pam_ldap.so
>
>
> password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
> password sufficient /lib/security/pam_ldap.so use_authtok
> password required /lib/security/pam_deny.so
>
> session required /lib/security/pam_limits.so
>
> session required /lib/security/pam_unix.so
> session optional /lib/security/pam_ldap.so
>
> Thanks
> Shamika
>
>
> =============================================================================================
>
> 2009/12/4 Shamika Joshi>
>
> Hi all,
> I'm stuck in the same issue as Serge Fonville.
> I have created new Auxiliary objectclass 'testobj' with 'host' attribute & added it to the ou=Groups.Then created 2 entries under Groups as below & assigned members to those groups.
>
>
>
>
> dn: cn=qagroup,ou=Groups,dc=test,dc=com
> cn: qagroup
> gidNumber: 4
> objectClass: posixGroup
> objectClass: testobj
> host: x15f12.test.com
>
> memberUid: uid=ldap1,ou=Users,dc=test,dc=com
>
> memberUid: uid=ldap2,ou=Users,dc=test,dc=com
>
> dn: cn=admin,ou=Groups,dc=test,dc=com
> cn: admin
> gidNumber: 0
> objectClass: posixGroup
> objectClass: testobj
> host: x15ubuntu.test.com
>
>
> memberUid: uid=ldap3,ou=Users,dc=test,dc=com
> memberUid: uid=ldap4,ou=Users,dc=test,dc=com
>
>
> Now which parameter in ldap.conf or any other files I host machine should I modify and how, so that members from qagroup or admin groups only get access to host mentioned in their respective attributes ??
>
>
>
> Thanks in advance
> Shamika
>
>
>
> 2009/12/3 Adam Hough>
>
>
>
> Or you can create your own Aux. object class that includes the host
>
> attribute then you just have to modify the ldap.conf for the machine to
>
> restrict user authentication.
>
>
>
> - Adam
>
>
>
> On Thu, 2009-12-03 at 10:48 -0300, Jarbas Peixoto Júnior wrote:
>
>> If you are using ssh and pam can be done like this:
>
>>
>
>> # tail /etc/ssh/sshd_config
>
>>
>
>> # Allow client to pass locale environment variables
>
>> AcceptEnv LANG LC_*
>
>>
>
>> Subsystem sftp /usr/lib/openssh/sftp-server
>
>>
>
>> UsePAM yes
>
>>
>
>> # Restringir acesso ao grupo local 'suporte' e a grupos LDAP
>
>> AllowGroups suporte "SSH UDSL"
>
>>
>
>> where "SSH UDSL" is a Group in LDAP, and "suporte" is a local group.
>
>>
>
>> 2009/12/3 Serge Fonville>:
>
>>> Hi,
>
>>>
>
>>> While setting up an LDAP server. I noticed that it is not possible to
>
>>> add a host attribute to a posixGroup.
>
>>>
>
>>> Is there a way to limit a user what host they can logon to based on
>
>>> their group membership?
>
>>>
>
>>> Thanks in advance
>
>>>
>
>>> Regards,
>
>>>
>
>>> Serge Fonville
>
>>>
>
>>> --
>
>>> http://www.sergefonville.nl
>
>>>
>
>>> Convince Google!!
>
>>> They need to support Adsense over SSL
>
>>> https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
>
>>> http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en
>
>>>
>
>
>
>
>
>
 		 	   		  
_________________________________________________________________
Chat with Messenger straight from your Hotmail inbox.
http://www.microsoft.com/windows/windowslive/hotmail_bl1/hotmail_bl1.aspx?ocid=PID23879::T:WLMTAGL:ON:WL:en-ww:WM_IMHM_4:092009

Follow-Ups:
- Re: restrict host login based on group
  - From: Howard Chu <hyc@symas.com>

References:
- restrict host login based on group
  - From: Serge Fonville <serge.fonville@gmail.com>
- Re: restrict host login based on group
  - From: Jarbas Peixoto Júnior <jarbas.junior@gmail.com>
- Re: restrict host login based on group
  - From: Adam Hough <adam@gradientzero.com>
- Re: restrict host login based on group
  - From: Shamika Joshi <shamika.joshi@gmail.com>
- Re: restrict host login based on group
  - From: Shamika Joshi <shamika.joshi@gmail.com>

Prev by Date: Re: userPassword encryption
Next by Date: Re: userPassword encryption
Index(es):
- Chronological
- Thread