Problem with ldap/pam/ssh, pam_groudn attribute doesn't seem to work.

[Jean-Yves Migeon]

Hi all :) Currently migrating an old debian system (NIS, samba2 and a couple of other services), to a new machine mainly configured around LDAP, I needed some sort of access restriction, mainly to deny access to particular group of users on certain clients/servers. So, I created defined groups of users (like admins, printer-admins, and so on) in ldap, and decided to restrict their access using the pam_groupdn attribute in /etc/pam_ldap.conf file. However, it doesn't seem to work as intended. Authentication works, a "getent passwd" correctly adds users to the lists (using NSS), but for services like ssh, or login via terminal, even users that do not belong to the group defined by pam_groupdn attribute are still able to login. Here are the config files I'm working with. /etc/pam.d/ssh auth            required        /lib/security/pam_unix.so shadow nullok auth            sufficient      /lib/security/pam_ldap.so try_first_pass account         required        /lib/security/pam_unix.so account         sufficient      /lib/security/pam_ldap.so password        required        /lib/security/pam_unix.so nullok use_authtok shadow password        sufficient      /lib/security/pam_ldap.so session         required        /lib/security/pam_unix.so /etc/pam.d/pam_ldap.conf host    127.0.0.1 base    dc=bde,dc=espci,dc=fr ldap_version    3 scope   sub timelimit       30 pam_filter              objectClass=posixAccount pam_login_attribute     uid pam_password            crypt pam_groupdn             cn=mathilda,ou=linux,dc=bde,dc=espci,dc=fr pam_member_attribute    member nss_base_passwd         ou=promos,dc=bde,dc=espci,dc=fr?sub nss_base_shadow         ou=promos,dc=bde,dc=espci,dc=fr?sub nss_base_group          ou=groups,dc=bde,dc=espci,dc=fr?sub /etc/ssh/sshd_config Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 600 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no PasswordAuthentication no X11Forwarding no X11DisplayOffset 10 PrintMotd no PrintLastLog yes KeepAlive yes Subsystem       sftp    /usr/lib/sftp-server UsePAM yes Nevertheless, when logging in, I still get a warning message indicating that the pam_groupdn attribute does work: bash-3.00$ ssh [EMAIL PROTECTED] Password: You must be a member of cn=mathilda,ou=linux,dc=bde,dc=espci,dc=fr to login. Last login: Thu Aug  4 18:10:07 2005 from localhost.localdomain I have no [EMAIL PROTECTED] 18:32:46:~$ As you can see, even when not belonging to the group, I still get access to the server. After testing multiple scenarios and options, I ended up with this line, where the pam_unix module seems to grant access to user, even when he's not in pam_groupdn group. Quoting it, or turning the control flag to sufficient, completely blocks authentification via ssh, for ldap users as for system users, like root. account         required        /lib/security/pam_unix.so That's all I noticed so far. I couldn't tell if the problem was coming from the pam_ldap or pam_unix libraries, or, more simple, a misconfiguration from me ^^ I know I could use some other user access restriction modules (like pam_wheel), but the pam_groupdn was really THE solution for my case. Having this configured directly into ldap, and using aliases for ipHost <> hostname, I could handle all the restriction directly from pam_ldap.conf, and do not necessarily need to edit all the pam.d/* files. Some googling brings up this problem elsewhere too: http://lists.debian.org/debian-user-french/2003/11/msg01094.html (2003, but seems to be the same problem as me) http://lists.freebsd.org/pipermail/freebsd-questions/2004-October/061443.html Right now, I'm stuck with it. If anybody notices some errors in my conf files, or got this to work properly, I'd be glad to know how they did. Thanking you in advance for any help you may bring :-) , Jean-Yves Migeon.