[Date Prev][Date Next] [Chronological] [Thread] [Top]

problem with group membership enforcement

To: ldap list <openldap-software@OpenLDAP.org>
Subject: problem with group membership enforcement
From: "Brian K. Jones" <jonesy@CS.Princeton.EDU>
Date: Thu, 16 Oct 2003 15:55:18 -0400
Cc: jonesy@CS.Princeton.EDU
Organization: Princeton University, Dept. of Computer Science

Hi, 

Wasn't sure where to post this (here or the pam list) - sorry if I
picked the wrong one, but I always have more success here :)

I'm in a testing environment running OpenLDAP 2.1 on Redhat 9, and I
have some Redhat 9 clients I'm testing with, but I've built my own
pam_ldap and nss_ldap from scratch, from the latest sources on padl's
site. 

My problem is this:

My /etc/ldap.conf file is configured to enforce membership of a group in
order to login. If I ssh to the machine as someone in the group, no
problem, I get in. However, today while I was testing this, I tried to
ssh to the box as someone NOT in the group and got this:

<+++++++ snip +++++++++>
[ajonesy@newhotness ajonesy]$ ssh ajonesy@fishhead
ajonesy@fishhead's password:
Warning: No xauth data; using fake authentication data for X11
forwarding.
You must be a memberUid of cn=staff,ou=Group,dc=cs,dc=princeton,dc=edu
to login.
[ajonesy@fishhead ajonesy]$ pwd
/u/ajonesy
[ajonesy@fishhead ajonesy]$
<++++++++++++++ /SNIP++++>

Why was I allowed to log in? This is baffling. 
Oddly, if I try to 'su' to the same account, as root on that box, it
fails, giving me that same warning ('you must be a memberUid of...') and
returns me my root shell. 

As root, I can 'su' to someone who is in the proper group, but that user
can't su to the non-group account either. So 'su' seems to do the right
thing, but 'ssh' lets me in regardless of my group membership (though
it's nice enough to provide a warning). 

Anyone seen this before?  Here's my /etc/pam.d/sshd file:

auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required   /lib/security/pam_unix.so shadow nullok
use_first_pass

account         sufficient      /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix.so

password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_unix.so shadow md5 nullok
use_authtok

session    required     /lib/security/pam_unix.so

Thanks for any input here. 
brian.

Follow-Ups:
- Re: problem with group membership enforcement
  - From: John Ziniti <jziniti@speakeasy.org>

Prev by Date: slapindex utility and selective indexing
Next by Date: Re: problem with group membership enforcement
Index(es):
- Chronological
- Thread