[Date Prev][Date Next] [Chronological] [Thread] [Top]

problem with group membership enforcement


Wasn't sure where to post this (here or the pam list) - sorry if I
picked the wrong one, but I always have more success here :)

I'm in a testing environment running OpenLDAP 2.1 on Redhat 9, and I
have some Redhat 9 clients I'm testing with, but I've built my own
pam_ldap and nss_ldap from scratch, from the latest sources on padl's

My problem is this:

My /etc/ldap.conf file is configured to enforce membership of a group in
order to login. If I ssh to the machine as someone in the group, no
problem, I get in. However, today while I was testing this, I tried to
ssh to the box as someone NOT in the group and got this:

<+++++++ snip +++++++++>
[ajonesy@newhotness ajonesy]$ ssh ajonesy@fishhead
ajonesy@fishhead's password:
Warning: No xauth data; using fake authentication data for X11
You must be a memberUid of cn=staff,ou=Group,dc=cs,dc=princeton,dc=edu
to login.
[ajonesy@fishhead ajonesy]$ pwd
[ajonesy@fishhead ajonesy]$
<++++++++++++++ /SNIP++++>

Why was I allowed to log in? This is baffling. 
Oddly, if I try to 'su' to the same account, as root on that box, it
fails, giving me that same warning ('you must be a memberUid of...') and
returns me my root shell. 

As root, I can 'su' to someone who is in the proper group, but that user
can't su to the non-group account either. So 'su' seems to do the right
thing, but 'ssh' lets me in regardless of my group membership (though
it's nice enough to provide a warning). 

Anyone seen this before?  Here's my /etc/pam.d/sshd file:

auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required   /lib/security/pam_unix.so shadow nullok

account         sufficient      /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix.so

password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_unix.so shadow md5 nullok

session    required     /lib/security/pam_unix.so

Thanks for any input here.