[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Restricting client access using pam_groupdn with dynamic groups : Was[Re: restrict host login based on group]

Shamika Joshi wrote:
Hi Adam,
sorry coz of workload it took me while to revisit my configuration & verify
things you mentioned. As far as I could understand things look quite in place.
I have pasted my configurations mapping exactly yours. Could you kindly take a
look at it for me pls?


This is not the way to list the contents of the config DB. cn=config is a slapd database, use slapcat or ldapsearch to dump its contents.

	slapcat -n0

Use the documented tools. You cannot rely on the slapd internal file formats remaining in any particular shape or form.

# ls -lR



admins@x6:/etc/ldap$ sudo ls -ltr /etc/ldap/slapd.d/cn\=config/cn=schema
total 60
-rw-r----- 1 openldap openldap 15474 2010-04-01 00:30 cn={0}core.ldif
-rw------- 1 openldap openldap 11316 2010-04-01 00:30 cn={1}cosine.ldif
-rw------- 1 openldap openldap  2810 2010-04-01 00:31 cn={2}inetorgperson.ldif
-rw------- 1 openldap openldap  6446 2010-04-01 00:31 cn={3}nis.ldif
-rw------- 1 openldap openldap 12510 2010-04-13 22:59 cn={4}samba.ldif
-rw------- 1 openldap openldap   468 2010-04-15 04:07 cn={5}hostobj.ldi

./cn=config/olcDatabase={0}config <=== i probably messed this up while trying
multimaster replication, but didnt knw the way how to delete these to left it
there thinking it will not anyway harm my dynlist config. pls correct me if
i'm wrong.

    sudo ls /etc/ldap/slapd.d//cn=config/olcDatabase={0}config
    olcOverlay={0}syncprov.ldif   olcOverlay={5}syncprov.ldif
    olcOverlay={10}syncprov.ldif  olcOverlay={6}syncprov.ldif
    olcOverlay={1}syncprov.ldif   olcOverlay={7}syncprov.ldif
    olcOverlay={2}syncprov.ldif   olcOverlay={8}syncprov.ldif
    olcOverlay={3}syncprov.ldif   olcOverlay={9}syncprov.ldif

    admins@x6:/etc/ldap$ sudo ls /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb

    admins@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config.ldif
    dn: cn=config
    objectClass: olcGlobal
    cn: config
    olcArgsFile: /var/run/slapd/slapd.args
    olcLogLevel: none
    olcPidFile: /var/run/slapd/slapd.pid
    olcToolThreads: 1
    structuralObjectClass: olcGlobal
    entryUUID: 342d7130-d1ac-102e-9cd4-e742ad24bbaf
    creatorsName: cn=config
    createTimestamp: 20100401073034Z
    olcServerID: 1 ldap://x6.testlab.com <http://x6.testlab.com>
    olcServerID: 2 ldap://x6slave.testlab.com <http://x6slave.testlab.com>
    entryCSN: 20100415071243.393226Z#000000#000#000000
    modifiersName: cn=admin,cn=config
    modifyTimestamp: 20100415071243Z
    contextCSN: 20100415110741.696825Z#000000#000#000000

    # cat cn\=config/cn\=module\{0\}.ldif
    dn: cn=module{0}

    admins@x6:/etc/ldap$ sudo cat
    /etc/ldap/slapd.d/cn\=config/cn\=module\{0\}.ldif dn: cn=module{0}
    objectClass: olcModuleList
    cn: module{0}
    olcModulePath: /usr/lib/ldap
    olcModuleLoad: {0}back_hdb
    olcModuleLoad: {1}dynlist.la <http://dynlist.la>
    olcModuleLoad: {2}syncprov
    structuralObjectClass: olcModuleList
    entryUUID: d01365fa-d1ac-102e-845b-c590dd936017
    creatorsName: cn=localroot,cn=config
    createTimestamp: 20100401073455Z
    entryCSN: 20100414110801.212307Z#000000#000#000000
    modifiersName: cn=admin,cn=config
    modifyTimestamp: 20100414110801Z

    admins@x6:/etc/ldap$ sudo cat
    dn: olcOverlay={0}dynlist
    objectClass: olcOverlayConfig
    objectClass: olcDynamicList
    olcOverlay: {0}dynlist
    olcDlAttrSet: {0}groupOfNames labeledURI member
    structuralObjectClass: olcDynamicList
    entryUUID: 4a9d0a38-d5b3-102e-8fe9-d7eabe4068a1
    creatorsName: cn=admin,cn=config
    createTimestamp: 20100406103123Z
    entryCSN: 20100406103123.135808Z#000000#000#000000
    modifiersName: cn=admin,cn=config
    modifyTimestamp: 20100406103123Z

My ldap.conf is there in the first thread. Do you see any issues that I need
to take care? Anything you think I could be missing here?


On Mon, Jun 7, 2010 at 3:38 PM, Shamika Joshi <shamika.joshi@gmail.com
<mailto:shamika.joshi@gmail.com>> wrote:

    Thanks for the reply & details Adam
    I shall try matching my config to this & get back to you.

    thanks a ton

    On Sat, Jun 5, 2010 at 10:22 AM, Adam Hough <adam@gradientzero.com
    <mailto:adam@gradientzero.com>> wrote:

        My guess is that your config on the server is not right.  So it looks
        like you are using the slap.d which is what i am using as well.  (I
        need to upload some updated rpms I think to gradientzero as well).

        I used this site to help me get my configuration working

        So my directory structural looks like:

        NOTE: While you can edit these files through the filesystem I higly
        recommend that you edit the files through ldap commands.  I use Apache
        Directory Studio as my GUI type front end and use ldapvi when I just
        one to make changes to values already in the ldap server and then to
        make major changes I use ldapmodify to make them.

        # ls -lR
        total 8
        drwxr-x--- 5 ldap ldap 4096 May 26 16:48 cn=config
        -rw------- 1 ldap ldap 1312 May 26 17:10 cn=config.ldif

        total 100
        -rw------- 1 ldap ldap   575 Sep  1  2009 cn=module{0}.ldif
        drwxr-x--- 2 ldap ldap  4096 Mar  4 12:42 cn=schema
        -rw------- 1 ldap ldap 61687 Sep  1  2009 cn=schema.ldif
        drwxr-x--- 2 ldap ldap  4096 Sep  2  2009 olcDatabase={0}config
        -rw------- 1 ldap ldap  2067 Nov 12  2009 olcDatabase={0}config.ldif
        drwxr-x--- 2 ldap ldap  4096 Mar  4 11:36 olcDatabase={1}bdb
        -rw------- 1 ldap ldap  4093 May 26 16:48 olcDatabase={1}bdb.ldif
        -rw------- 1 ldap ldap  2041 May 21 13:31 olcDatabase={-1}frontend.ldif
        -rw------- 1 ldap ldap   522 Sep  1  2009 olcDatabase={2}monitor.ldif

        ...<SCHEMAS in this directory deleted to make this shorter>.

        total 4
        -rw------- 1 ldap ldap 385 Sep  1  2009 olcOverlay={0}syncprov.ldif

        total 24
        -rw------- 1 ldap ldap 385 Sep  1  2009 olcOverlay={0}syncprov.ldif
        -rw------- 1 ldap ldap 474 Sep  2  2009 olcOverlay={1}ppolicy.ldif
        -rw------- 1 ldap ldap 397 Sep  3  2009 olcOverlay={2}memberof.ldif
        -rw------- 1 ldap ldap 494 Sep  2  2009 olcOverlay={3}refint.ldif
        -rw------- 1 ldap ldap 425 Sep  9  2009 olcOverlay={4}dynlist.ldif
        -rw------- 1 ldap ldap 530 Mar  4 11:36 olcOverlay={5}unique.ldif

        Now for some listing of my ldifs that you thin you are needing to see.

        # cat cn\=config.ldif
        dn: cn=config
        objectClass: olcGlobal
        cn: config
        olcConfigDir: /etc/openldap/slapd.d
        olcAttributeOptions: lang-
        olcAuthzPolicy: none
        olcConnMaxPending: 100
        olcConnMaxPendingAuth: 1000
        olcGentleHUP: FALSE
        olcIdleTimeout: 0
        olcIndexSubstrIfMaxLen: 4
        olcIndexSubstrIfMinLen: 2
        olcIndexSubstrAnyLen: 4
        olcIndexSubstrAnyStep: 2
        olcIndexIntLen: 4
        olcLocalSSF: 71
        olcReadOnly: FALSE
        olcReverseLookup: FALSE
        olcSaslSecProps: noplain,noanonymous
        olcSockbufMaxIncoming: 262143
        olcSockbufMaxIncomingAuth: 16777215
        olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
        olcTLSVerifyClient: never
        structuralObjectClass: olcGlobal
        olcTLSCACertificateFile: /etc/pki/certmaster/ca.cert
        entryUUID: e686e389-d0eb-4987-a240-fee46028c0a6
        creatorsName: cn=config
        createTimestamp: 20090901234827Z
        olcTLSCRLCheck: none
        olcTLSCertificateFile: /etc/openldap/cacerts/server.cert
        olcTLSCertificateKeyFile: /etc/openldap/cacerts/key.pem
        olcServerID: 2 ldaps://2
        olcServerID: 1 ldaps://1
        olcServerID: 3 ldaps://3
        olcPidFile: /var/run/openldap/slapd.pid
        olcToolThreads: 1
        olcThreads: 16

        # cat cn\=config/cn\=module\{0\}.ldif
        dn: cn=module{0}

        objectClass: olcModuleList
        cn: module{0}
        olcModulePath: /usr/lib64/openldap
        olcModuleLoad: {0}dynlist.la <http://dynlist.la>
        olcModuleLoad: {1}pcache.la <http://pcache.la>
        olcModuleLoad: {2}ppolicy.la <http://ppolicy.la>
        olcModuleLoad: {3}refint.la <http://refint.la>
        olcModuleLoad: {4}retcode.la <http://retcode.la>
        olcModuleLoad: {5}syncprov.la <http://syncprov.la>
        olcModuleLoad: {6}unique.la <http://unique.la>
        olcModuleLoad: {7}memberof.la <http://memberof.la>
        structuralObjectClass: olcModuleList

        # cat cn\=config/olcDatabase\=\{1\}bdb/olcOverlay\=\{4\}dynlist.ldif
        dn: olcOverlay={4}dynlist
        objectClass: olcOverlayConfig
        objectClass: olcDynamicList
        olcOverlay: {4}dynlist
        structuralObjectClass: olcDynamicList

        I think these should help you find where you have gone wrong with the
        configuration of the slapd configuration.

        So in my actual directory I have an ou=Systems,dc=domain,dc=ZZZ

        cn: sysadmin

        objectClass: top
        objectClass: groupOfNames
        objectClass: labeledURIObject
        member: uid=nobody,ou=People,dc=domain,dc=ZZZ
        labeledURI: ldap:///ou=People,dc=domain,dc=ZZZ??one?(host=sysadmin)

        The nobody user is a fake user that is in all my groups the user
        cannot login the ladelURI says that if a use has host=sysadmin they
        should be in this group.

        pam_groupdn cn=sysadmin,ou=Systems,dc=domain,dc=ZZZ
        pam_member_attribute member

        Also note that I hacked my schema to allow the host attribute in the
        PosixAccount users.

        On Wed, Jun 2, 2010 at 7:06 AM, Shamika Joshi <shamika.joshi@gmail.com
        <mailto:shamika.joshi@gmail.com>> wrote:

            I've followed Adam's post below on 'using pam_groupdn to use
            dynlist' to my query posted couple of months back and after
            revisiting this configuration facing issue with doing ssh to
            client machine with dynamic member of the group. It works
            correctly for the static members of the same group.Could you
            figure out if I'm missing something here??

            Currently using Ubuntu 9.10 which uses slapd.d configuration

            dn: cn=module{0},cn=config
            objectClass: olcModuleList
            cn: module{0}
            olcModulePath: /usr/lib/ldap
            olcModuleLoad: {0}back_hdb
            *olcModuleLoad: {1}dynlist.la <http://dynlist.la>*
            olcModuleLoad: {2}syncprov
            dn: olcDatabase={1}hdb,cn=config
            objectClass: olcDatabaseConfig
            objectClass: olcHdbConfig
            olcDatabase: {1}hdb
            olcDbDirectory: /var/lib/ldap
            olcSuffix: dc=testlab,dc=com
            olcAccess: {0}to attrs=userPassword,shadowLastChange by
              b,dc=com" write by anonymous auth by self write by * none
            olcAccess: {1}to dn.base="" by * read
            olcAccess: {2}to * by dn="cn=admin,dc=testlab,dc=com" write by * read
            olcLastMod: TRUE
            olcRootDN: cn=admin,dc=testlab,dc=com
            olcRootPW: 1234
            olcDbCheckpoint: 512 30
            olcDbConfig: {0}set_cachesize 0 2097152 0
            olcDbConfig: {1}set_lk_max_objects 1500
            olcDbConfig: {2}set_lk_max_locks 1500
            olcDbConfig: {3}set_lk_max_lockers 1500
            olcDbIndex: uid pres,eq
            olcDbIndex: cn,sn,mail pres,eq,approx,sub
            olcDbIndex: objectClass eq

            *dn: olcOverlay={0}dynlist,olcDatabase={1}hdb,cn=config
            objectClass: olcOverlayConfig
            objectClass: olcDynamicList
            olcOverlay: {0}dynlist
            olcDlAttrSet: {0}groupOfNames labeledURI member*

            *ldap.conf* on client machine contains
            # Group to enforce membership of
            *pam_groupdn cn=u910desk,ou=Machines,dc=testlab,dc=com*

            # Group member attribute
            *pam_member_attribute member**
            I have added following group
            *dn: cn=u910desk,ou=Machines,dc=testlab,dc=com*
            cn: u910desk
            objectClass: top
            objectClass: groupOfNames
            objectClass: labeledURIObject
            objectClass: ipHost*
            member: cn=placeholder,dc=testlab,dc=com
            member: uid=henry,ou=Users,dc=testlab,dc=com

            Also a user with host=cms3 entry, which should become dynamic
            member 'u910desk' after resolving labledURI above

            *dn: uid=jack,ou=Users,dc=testlab,dc=com*
            cn: jack
            sn: jack
            givenName: jack
            uid: jack
            uidNumber: 1002
            gidNumber: 513
            homeDirectory: /home/jack
            loginShell: /bin/bash
            gecos: System User
            host: cms3
            objectClass: top
            objectClass: person
            objectClass: organizationalPerson
            objectClass: inetOrgPerson
            objectClass: posixAccount
            objectClass: shadowAccount
            objectClass: hostobj
            shadowMax: 45

            However when I run search for member of group 'u910desk' it
            returns following : member list does not contain entry of user
            'jack' here

            $ldapsearch -xLLL -b 'cn=u910desk,ou=Machines,dc=testlab,dc=com'
            dn: cn=u910desk,ou=Machines,dc=testlab,dc=com
            member: cn=placeholder,dc=testlab,dc=com
            member: uid=henry,ou=Users,dc=testlab,dc=com

            For same reason(not sure tho) I think I'm not able to ssh to this
            client using 'jack', however ssh using 'henry' works it being a
            static member of 'u910desk'.

            admins@u910desk:~$ ssh jack@localhost
            jack@localhost's password:
            You must be a member of cn=u910desk,ou=Machines,dc=testlab,dc=com
            to login.
            Connection closed by ::1
            admins@u910desk:~$ ssh henry@localhost
            henry@localhost's password:
            Linux u910desk 2.6.31-17-generic #54-Ubuntu SMP Thu Dec 10
            17:01:44 UTC 2009 x86_64

            To access official Ubuntu documentation, please visit:

            164 packages can be updated.
            90 updates are security updates.

            Last login: Wed Jun  2 17:10:19 2010 from localhost

            Any help in this matter will be highly appreciated.

            Thanks in advance

            On Sat, Dec 12, 2009 at 4:53 AM, Adam Hough <adam@gradientzero.com
            <mailto:adam@gradientzero.com>> wrote:

                I am guessing you are either using RHEL5, Centos5 or some
                other RHEL5 based distro.  I replaced the openldap that was on
                my centos5 machines with an newer version at 2.4.16+patches.

                I have uploaded the rpms and srpms of what I used which you
                can do a drop in replacement of the RHEL5 based openldap rpms.

                I do not remember for sure but I think I had to force one or 2
                of the packages it get it to install but once everyhting is
                installed then it ran fine for me.  I have 3 ldap servers
                using this version setup in a multi-master setup.

                Since I am doing a multimastet setup, I do not use slapd.conf
                but rather the slapd.d configuration directory though the
                dynlist overlay should work with slapd.conf as well.

                - Adam

                    On Fri, Dec 11, 2009 at 4:18 AM, Adam Hough
                    <adam@gradientzero.com <mailto:adam@gradientzero.com>> wrote:

                        There are other ways to populate the pam_groupdn that
                        you have associated with each machine but those all
                        correspond to some attribute in the user's profile.

                        I have pam_groupdn setup like this

                        pam_groupdn cn=<GROUP_NAME>,ou=Systems,dc=domain,dc=com
                        pam_member_attribute member

                        cn: <GROUP_NAME>
                        objectClass: top
                        objectClass: groupOfNames
                        objectClass: labeledURIObject
                        member: uid=nobody,ou=People, dc=domain,dc=com
                        ldap:///ou=People,dc=domain,dc=com??one?(host=<type of

                        So as you can see you can have as many labeledURI
                        attributes as you want or need.  I tend to use the
                        host name function of what the host does.

                        This is how my account profile would look:
                        host: "cluster"
                        host: sysadmin

                        So "cluster" is a compute cluster that we have and
                        thus for all those machines the pam_groupdn
                        cn="cluster",ou=Systems,dc=domain,dc=com, and for
                        machines where only the sysadmins login to then
                        pam_groupdn cn=sysadmin,ou=Systems,dc=domain,dc=com.

                        As long as you can for a labeledURI:
                        type search you can use it to auto populate the group.

                        * Do to not think of the host attribute as host =
                        hostname but as host = type of machine and that you
                        can have more then one labeledURI per group to help
                        populate the group.
                        * Use good gidNumbers for groups to help auto populate
                        groupOfName style groups.

                        - Adam

                        On Wed, Dec 9, 2009 at 4:01 AM, Shamika Joshi
                        <mailto:shamika.joshi@gmail.com>> wrote:

                            Hi Adam,
                            I'm able to get host auth working by using host
                            attribute.But the drawback of that is everytime
                            there a new machine, I have to add that host to
                            all the users I want to grant access to. If I
                            decide to do it based on group membership, I can
                            use pam_groupdn but then it does not allow
                            multiple group entries there, plus it has to be
                            managed on client side,which is even more
                            undesirable by any administrator.

                            I went through this article but I'm not sure if it
                            will work if I have some members already
                            associated with some groups. Like ldap1 & ldap2
                            members of qagroup & ldap3 & ldap4 members of
                            sysadmin, would this method allow me to limit
                            access based on their group membership?? if
                            yes...could you briefly explain with an example?

                            Thank for your time in advance

                            On Wed, Dec 9, 2009 at 9:04 AM, Adam Hough
                            <mailto:adam@gradientzero.com>> wrote:

                                Here is is the write up that I read to figure
                                out how to do setup to auto-restrict users to
                                certain hosts.


  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/