Hi Everybody,

I am configuring ldap server for that i am using fedora directory server(389-ds)

My initial level of user authentication is working good. But When comes to login or ssh to any client it becomes mess.

<b>I want users to access only allowed host not every machine in ldap.</b>

* getent passwd (It works fine & gives output as expected.)
* /etc/nsswitch (i replace sss by ldap passwd group & ..)
* /etc/openldap/ldap.conf file have valid server entry & client & server both are requesting ldap server for info.
* /etc/pam.d/system-auth & password file both are modified to use pam_ldap.so module instead of pam_sss.so

Please suggest me some other parameters where i might go wrong. If any body need any file from my configuration please reply me i can paste whole file here.


Please get back ASAP.


Regards,

Dr.CRAZY

Hi Silverahul,
Are you using Fedora? The steps that you have listed are correct. If
is returning the users from LDAP- that means that your configuration should be ok. I can only imagine that something is wrong in your PAM configuration- if by saying that it's a mess you are implying that it is not working. Did you read the 389 Directory Howto here? What is the output of /var/log/secure?

1 members found this post helpful.

==================================


Hi rch,

thanks for reply, yes i am using fedora14 and ya i did follow howto for PAM as well.
Please suggest some more steps so that i can overcome this issue.

Regards,
Dr.CRAZY

========================================================
Bellow are ldap users.

#getent passwd

rsalve:*:5000:100:rahul salve:/home/user:/bin/bash
twhite:*:5001:100:tux white:/home/user:/bin/bash
lblack:*:5003:100:linux black:/home/user:/bin/bash

========================================================
Output when any user tries to login on server

tail -f /var/log/secure

Jul 9 15:53:02 server sshd[7377]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.7 user=rsalve
Jul 9 15:53:02 server sshd[7377]: Accepted password for rsalve from 192.168.1.7 port 36176 ssh2
Jul 9 15:53:02 server sshd[7377]: pam_unix(sshd:session): session opened for user rsalve by (uid=0)

========================================================
Section of pam where I use ldap.
[root@server ~]# vi /etc/pam.d/system-auth

auth sufficient pam_ldap.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password sufficient pam_ldap.so use_authtok
session optional pam_ldap.so

========================================================
LDIF file for user.

# rsalve, People, rahulinux.org
dn: uid=rsalve,ou=People,dc=rahulinux,dc=org
givenName: rahul
sn: salve
telephoneNumber: 9960890030
loginShell: /bin/bash
gidNumber: 100
uidNumber: 5000
mail: rahul.salve@synechron.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: hostObject
uid: rsalve
cn: rahul salve
homeDirectory: /home/user
host: server.rahulinux.org
==================================
ldif file for host.

# server, hosts, rahulinux.org
dn: cn=server,ou=hosts,dc=rahulinux,dc=org
objectClass: top
objectClass: device
objectClass: ipHost
ipHostNumber: 192.168.1.4
cn: server.rahulinux.org
cn: server
# server, hosts, rahulinux.org
dn: cn=server,ou=hosts,dc=rahulinux,dc=org
objectClass: top
objectClass: device
objectClass: ipHost
ipHostNumber: 192.168.1.4
cn: server.rahulinux.org
cn: server
==================================

So are you saying that only SSH logins are not working? If yes, have you modified /etc/pam.d/ssh to least include the system-auth?

1 members found this post helpful.

No..! its working but its allowing all the users to login on all the servers. even if user are restricted to login to that server.
In fact host based authentication is not working as expected.

Use pam_listfile.so to allow or deny logins based on whether a username is in the file you specify or not. A simple how to here.

1 members found this post helpful.

Thanks rch,

It works. Thank you very much for help. But pain in my heart is diffent i am configuring this server keeping 2000 users in mind.
This method is helpful for small env. where you need to modify configuration on each server/machine. But for large env. it is helpless.

#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so


i have a copy of sshd file in pam.d dir which can help you to understand my current working environment.
even after coping this file not work in my case.
Can you please suggest other work around.

So you are essentially saying that you want to restrict users logins by group. First step obviously is to create groups and populate the groups that you want to give access to the system.

Next, if you are using pam_listfile.so, modify
to
In the configuration file (that you used), change the usernames that you already have to groups that you want to have access to the system.

We do it a little differently though. Assuming that you are using openssh (which you probably are as you are using Fedora), modify /etc/ssh/sshd_config and add a line that specifies all groups that you want to allow login through ssh.

For example,if there are two groups <groupname1> and <groupname2> that you want to allow login through ssh, add this line at the end of /etc/ssh/sshd_config

1 members found this post helpful.

Thanks rch,

You have help me a lot and promptly.
Sorry for delayed response as I was on off. The only thing a can understand here is PAM and its modules.

Your suggested steps help me in my test env and its really working cool but unfortunately as per my organization standard it doesn't match. So i think i have to start from the scratch again.

Sorry but Can you please check my steps from the begaining mention on MY blog. I need expert advice like yours.

Have a Good time.

Cheers..!
Dr.CRAZY