LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 10-12-2012, 09:41 AM   #1
skimeer
Member
 
Registered: Jun 2007
Posts: 55
Blog Entries: 1

Rep: Reputation: 0
su not giving proper message for restricted LDAP groups


Hello,

I have configured PAM authentication on linux box to restrict particular group only to login.

I have enabled pam and ldap through authconfig and modified access.conf like below,

Code:
[root@test root]# tail -1 /etc/security/access.conf
- : ALL EXCEPT root test-auth : ALL
Also modified sudoers file, to get su for this group

Code:
[root@test ~]# tail -1 /etc/sudoers
%test-auth               ALL=/bin/su
Now, only this ldap group members can login to system.

However when from any of this authorised user, I tried for su, it asks for password and then though I enter correct passwoord it gives message like Incorrect password and login failed.

/var/log/secure shows that user is not having permission to get the access, but then it should print message like Access denied.The way it prints for console login.

My functionality is working but its no giveing proper messages.Could anyone please help on this.

My /etc/pam.d/su file,


Code:
[root@test root]# cat /etc/pam.d/su
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so

Last edited by skimeer; 10-12-2012 at 02:06 PM.
 
Old 10-13-2012, 02:43 AM   #2
uk.engr
Member
 
Registered: Apr 2012
Posts: 131

Rep: Reputation: Disabled
Dear I am new to LDAP can please let me know easy way to configure LDAP
 
Old 10-13-2012, 01:41 PM   #3
skimeer
Member
 
Registered: Jun 2007
Posts: 55
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Hi uk.engr,

Below link will help you in openldap configuration.

http://www.openldap.org/doc/admin24/and

http://www.openldap.org/doc/admin22/install.html
 
Old 10-15-2012, 05:36 AM   #4
skimeer
Member
 
Registered: Jun 2007
Posts: 55
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Does anyone has solution for my actual question
 
Old 10-15-2012, 07:45 PM   #5
Matthew Hardin
LQ Newbie
 
Registered: Aug 2007
Posts: 11

Rep: Reputation: 5
Hey Skimeer,

Several different pieces are in play here. Being that you can at least login using an LDAP account, I'd venture a guess that the LDAP server is at least configured correctly. We'll also need to see your system-auth file to see what it's doing. Then it may be off to other places as well.

One thing you might want to do is restart the LDAP server from the command line in debug mode and watch what happens when you run the su command. that will probably provide the most information. You might start with -1 (produces a LOT of output) and back off from there. Sometimes 256 is a good value as well, as it only displays operations and not much else.

Hope this helps,

-Matt

Matthew Hardin
Symas - The LDAP Guys
http://www.symas.com
 
Old 10-15-2012, 10:25 PM   #6
skimeer
Member
 
Registered: Jun 2007
Posts: 55
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Hey Matt,

I will test with restarting LDAP service. Meanwhile this is my system-auth

Code:
[root@test ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
 
Old 10-15-2012, 11:01 PM   #7
Matthew Hardin
LQ Newbie
 
Registered: Aug 2007
Posts: 11

Rep: Reputation: 5
Hi Skimeer,

I don't see anything the matter there, but get your database cleaned up (see my reply to your group lookup problem) and then see what works and what doesn't.

Cheers,

-Matt

Matthew Hardin
Symas - The LDAP Guys
http://www.symas.com

Last edited by Matthew Hardin; 10-15-2012 at 11:02 PM. Reason: Fix vague language
 
Old 10-16-2012, 12:27 AM   #8
skimeer
Member
 
Registered: Jun 2007
Posts: 55
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Hi Matt,

Backup/Restore did not resolve this issue.

what I have observed that,when I tried to su for unauthorized users. It gives access denied message in /var/log/secure

Code:
Oct 16 06:50:12 localhost su: pam_access(su:account): access denied for user `kalpana' from `pts/4'
Oct 16 06:50:47 localhost su: pam_access(su:account): access denied for user `kalpana' from `pts/4'
However, I guess this should be printed just when I try for su with user kalpana.

Is there any way to handle messages before login for LDAP users through PAM files
 
Old 10-16-2012, 02:21 PM   #9
Matthew Hardin
LQ Newbie
 
Registered: Aug 2007
Posts: 11

Rep: Reputation: 5
Hmm. It was late last night and I was thinking sudo, not su.

The su command works like this: If you type the target user's password, then su will authorize you for that id and either run the command you specified after -c or present you with a shell prompt. If you don't know the password, then it simply says "Sorry" and returns you to your original shall prompt. You'll also see a message in the log like the one you showed above.

The apparent exceptions in /etc/pam.d/su, but commented out in your example, are for members of group "wheel". One will implicitly trust members of that group, and the other will require that a user be a member of that group in order to succeed, even if the correct password is entered. Since they are commented out, neither of those cases will apply.

Is su behaving this way for both local and LDAP users? (maybe show the output so we can understand better if this is not the case)

Cheers,

-Matt

Matthew Hardin
Symas - The LDAP Guys
http://www.symas.com
 
Old 10-17-2012, 07:02 AM   #10
skimeer
Member
 
Registered: Jun 2007
Posts: 55
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Hi Matt,

Now I have added local user named tester. Now this user is also denied access, using PAM configuration as above.

Code:
[skimeer@test root]$ su tester
Password:
su: incorrect password
[skimeer@test root]$
Log (/var/log/secure) shows,

Code:
Oct 17 13:21:30 localhost useradd[32237]: new group: name=tester, GID=10126
Oct 17 13:21:30 localhost useradd[32237]: new user: name=tester, UID=10126, GID=10126, home=/home/tester, shell=/bin/bash
Oct 17 13:21:45 localhost passwd: pam_unix(passwd:chauthtok): password changed for tester
Oct 17 13:21:55 localhost su: pam_limits(su:session): unknown limit item 'nofiles'
Oct 17 13:21:55 localhost su: pam_limits(su:session): unknown limit item 'nofiles'
Oct 17 13:21:55 localhost su: pam_unix(su:session): session opened for user svaidya by root(uid=0)
Oct 17 13:22:04 localhost su: pam_access(su:account): access denied for user `tester' from `pts/3'

Hence there is no difference for LDAP users and Local users. I guess something we can play around su configuration to modify these messages. Mainly something for pam_access.

Last edited by skimeer; 10-17-2012 at 10:29 PM.
 
Old 10-29-2012, 08:39 AM   #11
skimeer
Member
 
Registered: Jun 2007
Posts: 55
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Any one has comment on this...I am still struggling to get this resolved.
 
Old 11-05-2012, 11:23 PM   #12
skimeer
Member
 
Registered: Jun 2007
Posts: 55
Blog Entries: 1

Original Poster
Rep: Reputation: 0
I just checked with for single group only,In that case if I try for su. It gives proper message "like user must be member of x group"

Is there any restriction on using multiple groups.
 
Old 12-14-2012, 08:19 AM   #13
skimeer
Member
 
Registered: Jun 2007
Posts: 55
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Could anyone please help me out in this.
 
  


Reply

Tags
ldap, linux, pamauth, su


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LDAP groups? kja_007700 Linux - Software 1 04-04-2010 06:44 AM
Permissions: giving specific groups write access to a directory kinetik Linux - General 3 07-06-2006 08:30 AM
giving permissions or joining groups? dunny05 Linux - Newbie 2 04-20-2005 05:43 AM
Giving Kppp rights to other users n groups xxx_anuj_xxx Linux - Security 5 12-22-2004 06:12 PM
LDAP Groups u4113072 Linux - Software 0 10-31-2002 07:30 PM


All times are GMT -5. The time now is 06:45 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration