Hi
I've followed Adam's post below on 'using pam_groupdn to use dynlist' to my
query posted couple of months back and after revisiting this configuration
facing issue with doing ssh to client machine with dynamic member of the
group. It works correctly for the static members of the same group.Could you
figure out if I'm missing something here??
Currently using Ubuntu 9.10 which uses slapd.d configuration directory.
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
*olcModuleLoad: {1}dynlist.la*
olcModuleLoad: {2}syncprov
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=testlab,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=admin,dc=testla
b,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=testlab,dc=com" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=testlab,dc=com
olcRootPW: 1234
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
*dn: olcOverlay={0}dynlist,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcOverlay: {0}dynlist
olcDlAttrSet: {0}groupOfNames labeledURI member*
*ldap.conf* on client machine contains
# Group to enforce membership of
*pam_groupdn cn=u910desk,ou=Machines,dc=testlab,dc=com*
# Group member attribute
*pam_member_attribute member**
*
I have added following group
*dn: cn=u910desk,ou=Machines,dc=testlab,dc=com*
cn: u910desk
ipHostNumber: 172.17.5.232
objectClass: top
objectClass: groupOfNames
objectClass: labeledURIObject
objectClass: ipHost*
labeledURI: ldap://172.17.0.200/ou=Users,dc=testlab,dc=com??one?(host=cms3)*
member: cn=placeholder,dc=testlab,dc=com
member: uid=henry,ou=Users,dc=testlab,dc=com
Also a user with host=cms3 entry, which should become dynamic member
'u910desk' after resolving labledURI above
*dn: uid=jack,ou=Users,dc=testlab,dc=com*
cn: jack
sn: jack
givenName: jack
uid: jack
uidNumber: 1002
gidNumber: 513
homeDirectory: /home/jack
loginShell: /bin/bash
gecos: System User
host: cms3
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: hostobj
shadowMax: 45
However when I run search for member of group 'u910desk' it returns
following : member list does not contain entry of user 'jack' here
$ldapsearch -xLLL -b 'cn=u910desk,ou=Machines,dc=testlab,dc=com' member
dn: cn=u910desk,ou=Machines,dc=testlab,dc=com
member: cn=placeholder,dc=testlab,dc=com
member: uid=henry,ou=Users,dc=testlab,dc=com
For same reason(not sure tho) I think I'm not able to ssh to this client
using 'jack', however ssh using 'henry' works it being a static member of
'u910desk'.
adm...@u910desk:~$ ssh j...@localhost
j...@localhost's password:
You must be a member of cn=u910desk,ou=Machines,dc=testlab,dc=com to login.
Connection closed by ::1
adm...@u910desk:~$
adm...@u910desk:~$
adm...@u910desk:~$
adm...@u910desk:~$ ssh he...@localhost
he...@localhost's password:
Linux u910desk 2.6.31-17-generic #54-Ubuntu SMP Thu Dec 10 17:01:44 UTC 2009
x86_64
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
164 packages can be updated.
90 updates are security updates.
Last login: Wed Jun 2 17:10:19 2010 from localhost
he...@u910desk:~$
Any help in this matter will be highly appreciated.
Thanks in advance
Shamika
On Sat, Dec 12, 2009 at 4:53 AM, Adam Hough <a...@gradientzero.com> wrote:
> I am guessing you are either using RHEL5, Centos5 or some other RHEL5 based
> distro. I replaced the openldap that was on my centos5 machines with an
> newer version at 2.4.16+patches.
>
> I have uploaded the rpms and srpms of what I used which you can do a drop
> in replacement of the RHEL5 based openldap rpms.
> http://www.gradientzero.com/openldap/
>
> I do not remember for sure but I think I had to force one or 2 of the
> packages it get it to install but once everyhting is installed then it ran
> fine for me. I have 3 ldap servers using this version setup in a
> multi-master setup.
>
> Since I am doing a multimastet setup, I do not use slapd.conf but rather
> the slapd.d configuration directory though the dynlist overlay should work
> with slapd.conf as well.
>
>
> - Adam
>
>>
>>
>> On Fri, Dec 11, 2009 at 4:18 AM, Adam Hough <a...@gradientzero.com>wrote:
>>
>>> There are other ways to populate the pam_groupdn that you have associated
>>> with each machine but those all correspond to some attribute in the user's
>>> profile.
>>>
>>> I have pam_groupdn setup like this
>>>
>>> /etc/ldap.conf:
>>> pam_groupdn cn=<GROUP_NAME>,ou=Systems,dc=domain,dc=com
>>> pam_member_attribute member
>>>
>>> cn=<GROUP_NAME>,ou=Systems,dc=domain,dc=com
>>> cn: <GROUP_NAME>
>>> objectClass: top
>>> objectClass: groupOfNames
>>> objectClass: labeledURIObject
>>> member: uid=nobody,ou=People, dc=domain,dc=com
>>> labeledURI: ldap:///ou=People,dc=domain,dc=com??one?(host=<type of
>>> system>)
>>> labeledURI: ldap:///ou=People,dc=domain,dc=com??one?(gidNumber=XXXX)
>>>
>>> So as you can see you can have as many labeledURI attributes as you want
>>> or need. I tend to use the host name function of what the host does.
>>>
>>> This is how my account profile would look:
>>> uid=<MYUSERID>,ou=People,dc=domain,dc=com
>>> host: "cluster"
>>> host: sysadmin
>>>
>>> So "cluster" is a compute cluster that we have and thus for all those
>>> machines the pam_groupdn cn="cluster",ou=Systems,dc=domain,dc=com, and for
>>> machines where only the sysadmins login to then pam_groupdn
>>> cn=sysadmin,ou=Systems,dc=domain,dc=com.
>>>
>>> As long as you can for a labeledURI:
>>> ldap:///ou=People,dc=domain,dc=com??one?<attribute>=<value>) type search you
>>> can use it to auto populate the group.
>>>
>>> Summary:
>>> * Do to not think of the host attribute as host = hostname but as host =
>>> type of machine and that you can have more then one labeledURI per group to
>>> help populate the group.
>>> * Use good gidNumbers for groups to help auto populate groupOfName style
>>> groups.
>>>
>>>
>>>
>>> - Adam
>>>
>>>
>>>
>>> On Wed, Dec 9, 2009 at 4:01 AM, Shamika Joshi
>>> <shamika.jo...@gmail.com>wrote:
>>>
>>>> Hi Adam,
>>>> I'm able to get host auth working by using host attribute.But the
>>>> drawback of that is everytime there a new machine, I have to add that host
>>>> to all the users I want to grant access to. If I decide to do it based on
>>>> group membership, I can use pam_groupdn but then it does not allow multiple
>>>> group entries there, plus it has to be managed on client side,which is even
>>>> more undesirable by any administrator.
>>>>
>>>> I went through this article but I'm not sure if it will work if I have
>>>> some members already associated with some groups. Like ldap1 & ldap2
>>>> members
>>>> of qagroup & ldap3 & ldap4 members of sysadmin, would this method allow me
>>>> to limit access based on their group membership?? if yes...could you
>>>> briefly
>>>> explain with an example?
>>>>
>>>> Thank for your time in advance
>>>> Shamika
>>>>
>>>>
>>>>
>>>> On Wed, Dec 9, 2009 at 9:04 AM, Adam Hough <a...@gradientzero.com>wrote:
>>>>
>>>>> Here is is the write up that I read to figure out how to do setup to
>>>>> auto-restrict users to certain hosts.
>>>>>
>>>>>
>>>>> http://www.hurricanelabs.com/september2009_login_security_using_openldap_and_pam
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
