[Date Prev][Date Next] [Chronological] [Thread] [Top]

pam_groupdn login restriction

I'm currently trying to get group based login working with little success using pam_groupdn on CentOS. Currently, any existing LDAP user is allowed to login to the system, but it does throw the error: "You must be a member of cn=login,ou=Group,dc=mydomain,dc=com to login." I would like to deny logins for any ldap users unless they exist in the specified group (in this case, cn=login,ou=Group,dc=mydomain,dc=com). Can anyone tell me what I'm doing wrong or point me toward some documentation?

uri ldaps://ldap.mydomain.com
base dc=mydomain,dc=com
binddn cn=user,ou=People,dc=mydomain,dc=com
bindpw password
bind_policy soft
pam_password md5
pam_login_attribute userID
pam_groupdn cn=login,ou=Groups,dc=mydomain,dc=com
pam_member_attribute member
pam_lookup_policy yes
tls_checkpeer no
ssl on

LDAP login group:
dn: cn=login,ou=Group,dc=mydomain,dc=com
objectClass: top
objectClass: posixGroup
cn: login
description: login group
gidNumber: 100
memberUid: user1
memberUid: user2