Hi Sean!
On Fri, 12 Feb 2010, Sean Carolan wrote:
> > I have UsePAM turned on, and getent group shows me in the "operations"
> > group. I wonder why sshd is not seeing that I'm in the operations
> > group?
>
> Ok, never mind. On this particular server there was one entry in
> /etc/group with m
> If you're going to start mixing local and LDAP stuff that way, you're
> going to run into some fun-to-debug strangeness if you're not careful
> about them all being identical.
Thanks again for your help, I have this working now. I had a comma in
my AllowGroups line instead of a space.
We're sl
> I have UsePAM turned on, and getent group shows me in the "operations"
> group. I wonder why sshd is not seeing that I'm in the operations
> group?
Ok, never mind. On this particular server there was one entry in
/etc/group with my username in it, that was somehow interfering. Once
I removed
Hi Sean!
On Fri, 12 Feb 2010, Sean Carolan wrote:
> > Is "invalid user" all you're seeing in the log? Generally, at least with
> > OpenSSH, if the user is being denied because it's not in a valid group,
> > the logs will say so. They'll also generally tell you if it's because it
> > couldn't find
> For example, we might have a group called "db-ssh" that defines a user
> group allowed to access database servers. Then we just make sure DB
> hosts get "AllowGroups db-ssh" added to their SSH configs. Plopping a
> user into the db-ssh group in LDAP then gives that person access to all
> the bo
On 2/2/2010 1:38 PM, patrick.mor...@hp.com wrote:
> On Tue, 02 Feb 2010, Sean Carolan wrote:
>
>>> Incidentally, that may also answer your other question about how to
>>> disable local shadow file passwords.
>>
>> Any suggestions for migrating accounts from /etc/shadow into the LDAP
>> database? I
Hi Sean!
On Tue, 02 Feb 2010, Sean Carolan wrote:
> >> Any suggestions for migrating accounts from /etc/shadow into the LDAP
> >> database? I tried this LdapImport perl script but it threw a bunch of
> >> errors and ultimately failed:
> >
> > At the time I did the initial import here, I put toge
>> Any suggestions for migrating accounts from /etc/shadow into the LDAP
>> database? I tried this LdapImport perl script but it threw a bunch of
>> errors and ultimately failed:
>
> At the time I did the initial import here, I put together a really ugly
> shell script that used a few cuts, greps
On Tue, 02 Feb 2010, Sean Carolan wrote:
> > Incidentally, that may also answer your other question about how to
> > disable local shadow file passwords.
>
> Any suggestions for migrating accounts from /etc/shadow into the LDAP
> database? I tried this LdapImport perl script but it threw a bunch
> Incidentally, that may also answer your other question about how to
> disable local shadow file passwords.
Any suggestions for migrating accounts from /etc/shadow into the LDAP
database? I tried this LdapImport perl script but it threw a bunch of
errors and ultimately failed:
http://wiki.babel
> /etc/security/access is definitely an option, as would be putting them
> all in a group and using "AllowGroups [your group]" in the sshd_config,
> among other possibilities.
>
> Doing something group-based is typically pretty easy to manage.
Thanks for the info, the sshd_config file may be the w
> #2
> a.there is also a setting in /etc/ldap.conf called pam_groupdn. This
> lets you define an LDAP object with multiple membe attributes to
> control who can login. I find it easy to use
> b. SSH can be told to only accept logins from a posix group (same deal
> just handled at a different part o
On Tue, Feb 2, 2010 at 9:19 AM, Sean Carolan wrote:
> Wow, fast reply Muzzol!
>
>>> 2. If there are some users who only need access to a small number of
>>> servers, how would you handle that situation?
>> modify /etc/security/limits.conf to your needs
>
> What about /etc/security/access? Do you
Wow, fast reply Muzzol!
>> 2. If there are some users who only need access to a small number of
>> servers, how would you handle that situation?
> modify /etc/security/limits.conf to your needs
What about /etc/security/access? Do you think this is the best way to
accomplish this? Assume that I
14 matches
Mail list logo
