[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Antwort: Re: Restrict Access to Hosts
The only thing that was missing was the line "pam_filter objectclass=account" in
ldap.conf.
But it doesn't work with this either.
I think the problem is somewhat different. I _can_ restrict the access to
certain host, just by
having the "auth required pam_ldap.so" instead of "auth sufficient pam_ldap.so"
in /etc/pam.d/sshd.
But as I pointed out, then no "normal" user stored in /etc/passwd can log in...
mit freundlichen Grüßen/with best regards
Thomas Emde
________________________
ScaleOn GmbH & Co. KG
Systems Engineering 1
Geb. B151, Raum 117
D-51368 Leverkusen
Telefon +49 214/30-67603
Telefax +49 214/30-24887
E-Mail thomas.emde@scaleon.de
Internet http://www.scaleon.de
An: thomas.emde@scaleon.de
Kopie:
Thema: Re: Restrict Access to Hosts
Jan-Piet Mens
<jpm@Retail-SC.com>
Received : 2002-04-22
09:31
I've got this in my /etc/ldap.conf:
pam_filter objectclass=account
pam_check_host_attr yes
and this in the LDIF for the user:
...
host: meine.kiste.scaleon.de
objectclass: ...
objectclass: account
...
this means the user can only login via PAM from that host.
-JP
On Mon, 22 Apr 2002, thomas.emde@scaleon.de wrote:
> Hello,
>
> I manage linux users in an LDAP directory and want to restrict the access of
> certain users to certain hosts.
> I have setup /etc/pam.d/sshd on the host to which the user accesses as
follows:
>
> #%PAM-1.0
> auth required /lib/security/pam_ldap.so
> auth required /lib/security/pam_unix.so # set_secrpc
> auth required /lib/security/pam_nologin.so
> auth required /lib/security/pam_env.so
> auth required /lib/security/pam_mail.so
> account sufficient /lib/security/pam_ldap.so
> account required /lib/security/pam_unix.so
> password required /lib/security/pam_pwcheck.so
> password required /lib/security/pam_unix.so use_first_pass
> use_authtok
> password sufficient /lib/security/pam_ldap.so
> session required /lib/security/pam_unix.so none # trace or debug
> session required /lib/security/pam_limits.so
>
> The access control part in my ldap server config file looks like this:
>
> defaultaccess none
> access to attr=userPassword
> by dn="cn=Admin,o=ScaleOn GmbH, c=D" write
> by self write
> by anonymous auth
> access to *
> by dn="cn=Admin,o=ScaleOn GmbH, c=D" write
> by self write
> by * read
>
> With this configuration the access restriction to hosts listed via a "host"
> attribute in the ldap entry of the user works fine.
> But, now it is not possible for a "normal" passwd-user to log into the
machine.
> If I change the "auth required" for pam_ldap.so
> into an "auth sufficient", then both types of users can log in, but the "host"
> attribute is ignored, probably due to the "anonymous auth"
> access directive in the ldap config. If I change this to "users auth", then
> nobody can login, probably because the user name is somehow not
> passed from sshd/pam to the ldap checking mechanism...
>
> Any help would be greatly appreciated.
>
> mit freundlichen Grüßen/with best regards
> Thomas Emde
> ________________________
> ScaleOn GmbH & Co. KG
> Systems Engineering 1
> Geb. B151, Raum 117
> D-51368 Leverkusen
> Telefon +49 214/30-67603
> Telefax +49 214/30-24887
> E-Mail thomas.emde@scaleon.de
> Internet http://www.scaleon.de
>
>
>
>
>