My guess is that your config on the server is not right. So it looks like you are using the slap.d which is what i am using as well. (I need to upload some updated rpms I think to gradientzero as well).
I used this site to help me get my configuration working http://www.zytrax.com/books/ldap/ch6/slapd-config.html So my directory structural looks like: NOTE: While you can edit these files through the filesystem I higly recommend that you edit the files through ldap commands. I use Apache Directory Studio as my GUI type front end and use ldapvi when I just one to make changes to values already in the ldap server and then to make major changes I use ldapmodify to make them. PWD=/etc/openldap/slapd.d # ls -lR .: total 8 drwxr-x--- 5 ldap ldap 4096 May 26 16:48 cn=config -rw------- 1 ldap ldap 1312 May 26 17:10 cn=config.ldif ./cn=config: total 100 -rw------- 1 ldap ldap 575 Sep 1 2009 cn=module{0}.ldif drwxr-x--- 2 ldap ldap 4096 Mar 4 12:42 cn=schema -rw------- 1 ldap ldap 61687 Sep 1 2009 cn=schema.ldif drwxr-x--- 2 ldap ldap 4096 Sep 2 2009 olcDatabase={0}config -rw------- 1 ldap ldap 2067 Nov 12 2009 olcDatabase={0}config.ldif drwxr-x--- 2 ldap ldap 4096 Mar 4 11:36 olcDatabase={1}bdb -rw------- 1 ldap ldap 4093 May 26 16:48 olcDatabase={1}bdb.ldif -rw------- 1 ldap ldap 2041 May 21 13:31 olcDatabase={-1}frontend.ldif -rw------- 1 ldap ldap 522 Sep 1 2009 olcDatabase={2}monitor.ldif /cn=config/cn=schema: ...<SCHEMAS in this directory deleted to make this shorter>. ./cn=config/olcDatabase={0}config: total 4 -rw------- 1 ldap ldap 385 Sep 1 2009 olcOverlay={0}syncprov.ldif ./cn=config/olcDatabase={1}bdb: total 24 -rw------- 1 ldap ldap 385 Sep 1 2009 olcOverlay={0}syncprov.ldif -rw------- 1 ldap ldap 474 Sep 2 2009 olcOverlay={1}ppolicy.ldif -rw------- 1 ldap ldap 397 Sep 3 2009 olcOverlay={2}memberof.ldif -rw------- 1 ldap ldap 494 Sep 2 2009 olcOverlay={3}refint.ldif -rw------- 1 ldap ldap 425 Sep 9 2009 olcOverlay={4}dynlist.ldif -rw------- 1 ldap ldap 530 Mar 4 11:36 olcOverlay={5}unique.ldif Now for some listing of my ldifs that you thin you are needing to see. # cat cn\=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcConfigDir: /etc/openldap/slapd.d olcAttributeOptions: lang- olcAuthzPolicy: none olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2 olcTLSVerifyClient: never structuralObjectClass: olcGlobal olcTLSCACertificateFile: /etc/pki/certmaster/ca.cert entryUUID: e686e389-d0eb-4987-a240-fee46028c0a6 creatorsName: cn=config createTimestamp: 20090901234827Z olcTLSCRLCheck: none olcTLSCertificateFile: /etc/openldap/cacerts/server.cert olcTLSCertificateKeyFile: /etc/openldap/cacerts/key.pem olcServerID: 2 ldaps://2 olcServerID: 1 ldaps://1 olcServerID: 3 ldaps://3 olcPidFile: /var/run/openldap/slapd.pid olcToolThreads: 1 olcThreads: 16 # cat cn\=config/cn\=module\{0\}.ldif dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib64/openldap olcModuleLoad: {0}dynlist.la olcModuleLoad: {1}pcache.la olcModuleLoad: {2}ppolicy.la olcModuleLoad: {3}refint.la olcModuleLoad: {4}retcode.la olcModuleLoad: {5}syncprov.la olcModuleLoad: {6}unique.la olcModuleLoad: {7}memberof.la structuralObjectClass: olcModuleList # cat cn\=config/olcDatabase\=\{1\}bdb/olcOverlay\=\{4\}dynlist.ldif dn: olcOverlay={4}dynlist objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: {4}dynlist structuralObjectClass: olcDynamicList I think these should help you find where you have gone wrong with the configuration of the slapd configuration. So in my actual directory I have an ou=Systems,dc=domain,dc=ZZZ cn=sysadmin,ou=Systems,dc=domain,dc=ZZZ cn: sysadmin objectClass: top objectClass: groupOfNames objectClass: labeledURIObject member: uid=nobody,ou=People,dc=domain,dc=ZZZ labeledURI: ldap:///ou=People,dc=domain,dc=ZZZ??one?(host=sysadmin) The nobody user is a fake user that is in all my groups the user cannot login the ladelURI says that if a use has host=sysadmin they should be in this group. /etc/ldap.conf: pam_groupdn cn=sysadmin,ou=Systems,dc=domain,dc=ZZZ pam_member_attribute member Also note that I hacked my schema to allow the host attribute in the PosixAccount users. On Wed, Jun 2, 2010 at 7:06 AM, Shamika Joshi <shamika.jo...@gmail.com>wrote: > Hi > I've followed Adam's post below on 'using pam_groupdn to use dynlist' to my > query posted couple of months back and after revisiting this configuration > facing issue with doing ssh to client machine with dynamic member of the > group. It works correctly for the static members of the same group.Could you > figure out if I'm missing something here?? > > Currently using Ubuntu 9.10 which uses slapd.d configuration directory. > > > dn: cn=module{0},cn=config > objectClass: olcModuleList > cn: module{0} > olcModulePath: /usr/lib/ldap > olcModuleLoad: {0}back_hdb > *olcModuleLoad: {1}dynlist.la* > olcModuleLoad: {2}syncprov > dn: olcDatabase={1}hdb,cn=config > objectClass: olcDatabaseConfig > objectClass: olcHdbConfig > olcDatabase: {1}hdb > olcDbDirectory: /var/lib/ldap > olcSuffix: dc=testlab,dc=com > olcAccess: {0}to attrs=userPassword,shadowLastChange by > dn="cn=admin,dc=testla > b,dc=com" write by anonymous auth by self write by * none > olcAccess: {1}to dn.base="" by * read > olcAccess: {2}to * by dn="cn=admin,dc=testlab,dc=com" write by * read > olcLastMod: TRUE > olcRootDN: cn=admin,dc=testlab,dc=com > olcRootPW: 1234 > olcDbCheckpoint: 512 30 > olcDbConfig: {0}set_cachesize 0 2097152 0 > olcDbConfig: {1}set_lk_max_objects 1500 > olcDbConfig: {2}set_lk_max_locks 1500 > olcDbConfig: {3}set_lk_max_lockers 1500 > olcDbIndex: uid pres,eq > olcDbIndex: cn,sn,mail pres,eq,approx,sub > olcDbIndex: objectClass eq > > *dn: olcOverlay={0}dynlist,olcDatabase={1}hdb,cn=config > objectClass: olcOverlayConfig > objectClass: olcDynamicList > olcOverlay: {0}dynlist > olcDlAttrSet: {0}groupOfNames labeledURI member* > > *ldap.conf* on client machine contains > # Group to enforce membership of > *pam_groupdn cn=u910desk,ou=Machines,dc=testlab,dc=com* > > # Group member attribute > *pam_member_attribute member** > * > I have added following group > *dn: cn=u910desk,ou=Machines,dc=testlab,dc=com* > cn: u910desk > ipHostNumber: 172.17.5.232 > objectClass: top > objectClass: groupOfNames > objectClass: labeledURIObject > objectClass: ipHost* > labeledURI: ldap:// > 172.17.0.200/ou=Users,dc=testlab,dc=com??one?(host=cms3)<http://172.17.0.200/ou=Users,dc=testlab,dc=com??one?%28host=cms3%29> > * > member: cn=placeholder,dc=testlab,dc=com > member: uid=henry,ou=Users,dc=testlab,dc=com > > Also a user with host=cms3 entry, which should become dynamic member > 'u910desk' after resolving labledURI above > > *dn: uid=jack,ou=Users,dc=testlab,dc=com* > cn: jack > sn: jack > givenName: jack > uid: jack > uidNumber: 1002 > gidNumber: 513 > homeDirectory: /home/jack > loginShell: /bin/bash > gecos: System User > host: cms3 > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: shadowAccount > objectClass: hostobj > shadowMax: 45 > > > However when I run search for member of group 'u910desk' it returns > following : member list does not contain entry of user 'jack' here > > $ldapsearch -xLLL -b 'cn=u910desk,ou=Machines,dc=testlab,dc=com' member > dn: cn=u910desk,ou=Machines,dc=testlab,dc=com > member: cn=placeholder,dc=testlab,dc=com > member: uid=henry,ou=Users,dc=testlab,dc=com > > For same reason(not sure tho) I think I'm not able to ssh to this client > using 'jack', however ssh using 'henry' works it being a static member of > 'u910desk'. > > adm...@u910desk:~$ ssh j...@localhost > j...@localhost's password: > You must be a member of cn=u910desk,ou=Machines,dc=testlab,dc=com to login. > Connection closed by ::1 > adm...@u910desk:~$ > adm...@u910desk:~$ > adm...@u910desk:~$ > adm...@u910desk:~$ ssh he...@localhost > he...@localhost's password: > Linux u910desk 2.6.31-17-generic #54-Ubuntu SMP Thu Dec 10 17:01:44 UTC > 2009 x86_64 > > To access official Ubuntu documentation, please visit: > http://help.ubuntu.com/ > > 164 packages can be updated. > 90 updates are security updates. > > Last login: Wed Jun 2 17:10:19 2010 from localhost > he...@u910desk:~$ > > > Any help in this matter will be highly appreciated. > > Thanks in advance > Shamika > > > > On Sat, Dec 12, 2009 at 4:53 AM, Adam Hough <a...@gradientzero.com> wrote: > >> I am guessing you are either using RHEL5, Centos5 or some other RHEL5 >> based distro. I replaced the openldap that was on my centos5 machines with >> an newer version at 2.4.16+patches. >> >> I have uploaded the rpms and srpms of what I used which you can do a drop >> in replacement of the RHEL5 based openldap rpms. >> http://www.gradientzero.com/openldap/ >> >> I do not remember for sure but I think I had to force one or 2 of the >> packages it get it to install but once everyhting is installed then it ran >> fine for me. I have 3 ldap servers using this version setup in a >> multi-master setup. >> >> Since I am doing a multimastet setup, I do not use slapd.conf but rather >> the slapd.d configuration directory though the dynlist overlay should work >> with slapd.conf as well. >> >> >> - Adam >> >>> >>> >>> On Fri, Dec 11, 2009 at 4:18 AM, Adam Hough <a...@gradientzero.com>wrote: >>> >>>> There are other ways to populate the pam_groupdn that you have >>>> associated with each machine but those all correspond to some attribute in >>>> the user's profile. >>>> >>>> I have pam_groupdn setup like this >>>> >>>> /etc/ldap.conf: >>>> pam_groupdn cn=<GROUP_NAME>,ou=Systems,dc=domain,dc=com >>>> pam_member_attribute member >>>> >>>> cn=<GROUP_NAME>,ou=Systems,dc=domain,dc=com >>>> cn: <GROUP_NAME> >>>> objectClass: top >>>> objectClass: groupOfNames >>>> objectClass: labeledURIObject >>>> member: uid=nobody,ou=People, dc=domain,dc=com >>>> labeledURI: ldap:///ou=People,dc=domain,dc=com??one?(host=<type of >>>> system>) >>>> labeledURI: ldap:///ou=People,dc=domain,dc=com??one?(gidNumber=XXXX) >>>> >>>> So as you can see you can have as many labeledURI attributes as you want >>>> or need. I tend to use the host name function of what the host does. >>>> >>>> This is how my account profile would look: >>>> uid=<MYUSERID>,ou=People,dc=domain,dc=com >>>> host: "cluster" >>>> host: sysadmin >>>> >>>> So "cluster" is a compute cluster that we have and thus for all those >>>> machines the pam_groupdn cn="cluster",ou=Systems,dc=domain,dc=com, and for >>>> machines where only the sysadmins login to then pam_groupdn >>>> cn=sysadmin,ou=Systems,dc=domain,dc=com. >>>> >>>> As long as you can for a labeledURI: >>>> ldap:///ou=People,dc=domain,dc=com??one?<attribute>=<value>) type search >>>> you >>>> can use it to auto populate the group. >>>> >>>> Summary: >>>> * Do to not think of the host attribute as host = hostname but as host = >>>> type of machine and that you can have more then one labeledURI per group to >>>> help populate the group. >>>> * Use good gidNumbers for groups to help auto populate groupOfName style >>>> groups. >>>> >>>> >>>> >>>> - Adam >>>> >>>> >>>> >>>> On Wed, Dec 9, 2009 at 4:01 AM, Shamika Joshi >>>> <shamika.jo...@gmail.com>wrote: >>>> >>>>> Hi Adam, >>>>> I'm able to get host auth working by using host attribute.But the >>>>> drawback of that is everytime there a new machine, I have to add that host >>>>> to all the users I want to grant access to. If I decide to do it based on >>>>> group membership, I can use pam_groupdn but then it does not allow >>>>> multiple >>>>> group entries there, plus it has to be managed on client side,which is >>>>> even >>>>> more undesirable by any administrator. >>>>> >>>>> I went through this article but I'm not sure if it will work if I have >>>>> some members already associated with some groups. Like ldap1 & ldap2 >>>>> members >>>>> of qagroup & ldap3 & ldap4 members of sysadmin, would this method allow me >>>>> to limit access based on their group membership?? if yes...could you >>>>> briefly >>>>> explain with an example? >>>>> >>>>> Thank for your time in advance >>>>> Shamika >>>>> >>>>> >>>>> >>>>> On Wed, Dec 9, 2009 at 9:04 AM, Adam Hough <a...@gradientzero.com>wrote: >>>>> >>>>>> Here is is the write up that I read to figure out how to do setup to >>>>>> auto-restrict users to certain hosts. >>>>>> >>>>>> >>>>>> http://www.hurricanelabs.com/september2009_login_security_using_openldap_and_pam >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >