Re: Restricting client access using pam_groupdn with dynamic groups : Was[Re: restrict host login based on group]

[Adam Hough]

On Mon, Jun 14, 2010 at 12:32 AM, Shamika Joshi shamika.jo...@gmail.comwrote:

 Ya here it is ...output of slapcat attached. Please let me knw if u could
 see anything missing from this.

 Thanks  regards
 Shamika




 Howard,

I will remember that.  I always use the ldap commands normally since I have
a 3 way multi-master mirror setup.


Shamika,

Just in case i get to busy this week to look at your config here is the
slapcat of my configuration with any  sensitive information removed.

http://www.gradientzero.com/openldap/Example_config/config.ldif.gz


(I am sure that my is not 100% optimal but it is currently working for me.)

Re: Restricting client access using pam_groupdn with dynamic groups : Was[Re: restrict host login based on group]

[Shamika Joshi]

Hi Adam,
sorry coz of workload it took me while to revisit my configuration  verify
things you mentioned. As far as I could understand things look quite in
place. I have pasted my configurations mapping exactly yours. Could you
kindly take a look at it for me pls?

PWD=/etc/openldap/slapd.d
# ls -lR
cn=config
cn=config.ldif

./cn=config:
../
cn=schema/
olcDatabase={0}config/
olcDatabase={1}hdb/
cn=module{0}.ldif
cn=schema.ldif
olcDatabase={-1}frontend.ldif
olcDatabase={0}config.ldif
olcDatabase={1}hdb.ldif


/cn=config/cn=schema:

adm...@x6:/etc/ldap$ sudo ls -ltr /etc/ldap/slapd.d/cn\=config/cn=schema
total 60
-rw-r- 1 openldap openldap 15474 2010-04-01 00:30 cn={0}core.ldif
-rw--- 1 openldap openldap 11316 2010-04-01 00:30 cn={1}cosine.ldif
-rw--- 1 openldap openldap  2810 2010-04-01 00:31
cn={2}inetorgperson.ldif
-rw--- 1 openldap openldap  6446 2010-04-01 00:31 cn={3}nis.ldif
-rw--- 1 openldap openldap 12510 2010-04-13 22:59 cn={4}samba.ldif
-rw--- 1 openldap openldap   468 2010-04-15 04:07 cn={5}hostobj.ldi


./cn=config/olcDatabase={0}config  === i probably messed this up while
trying multimaster replication, but didnt knw the way how to delete these to
left it there thinking it will not anyway harm my dynlist config. pls
correct me if i'm wrong.

sudo ls /etc/ldap/slapd.d//cn=config/olcDatabase={0}config
 olcOverlay={0}syncprov.ldif   olcOverlay={5}syncprov.ldif
 olcOverlay={10}syncprov.ldif  olcOverlay={6}syncprov.ldif
 olcOverlay={1}syncprov.ldif   olcOverlay={7}syncprov.ldif
 olcOverlay={2}syncprov.ldif   olcOverlay={8}syncprov.ldif
 olcOverlay={3}syncprov.ldif   olcOverlay={9}syncprov.ldif
 olcOverlay={4}syncprov.ldif

 adm...@x6:/etc/ldap$ sudo ls
 /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb
 olcOverlay={0}dynlist.ldif


 adm...@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config.ldif
 dn: cn=config
 objectClass: olcGlobal
 cn: config
 olcArgsFile: /var/run/slapd/slapd.args
 olcLogLevel: none
 olcPidFile: /var/run/slapd/slapd.pid
 olcToolThreads: 1
 structuralObjectClass: olcGlobal
 entryUUID: 342d7130-d1ac-102e-9cd4-e742ad24bbaf
 creatorsName: cn=config
 createTimestamp: 20100401073034Z
 olcServerID: 1 ldap://x6.testlab.com
 olcServerID: 2 ldap://x6slave.testlab.com
 entryCSN: 20100415071243.393226Z#00#000#00
 modifiersName: cn=admin,cn=config
 modifyTimestamp: 20100415071243Z
 contextCSN: 20100415110741.696825Z#00#000#00


 # cat cn\=config/cn\=module\{0\}.ldif
 dn: cn=module{0}

 adm...@x6:/etc/ldap$ sudo cat
 /etc/ldap/slapd.d/cn\=config/cn\=module\{0\}.ldif dn: cn=module{0}
 objectClass: olcModuleList
 cn: module{0}
 olcModulePath: /usr/lib/ldap
 olcModuleLoad: {0}back_hdb
 olcModuleLoad: {1}dynlist.la
 olcModuleLoad: {2}syncprov
 structuralObjectClass: olcModuleList
 entryUUID: d01365fa-d1ac-102e-845b-c590dd936017
 creatorsName: cn=localroot,cn=config
 createTimestamp: 20100401073455Z
 entryCSN: 20100414110801.212307Z#00#000#00
 modifiersName: cn=admin,cn=config
 modifyTimestamp: 20100414110801Z

 adm...@x6:/etc/ldap$ sudo cat
 /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb/olcOverlay\=\{0\}dynlist.ldif
 dn: olcOverlay={0}dynlist
 objectClass: olcOverlayConfig
 objectClass: olcDynamicList
 olcOverlay: {0}dynlist
 olcDlAttrSet: {0}groupOfNames labeledURI member
 structuralObjectClass: olcDynamicList
 entryUUID: 4a9d0a38-d5b3-102e-8fe9-d7eabe4068a1
 creatorsName: cn=admin,cn=config
 createTimestamp: 20100406103123Z
 entryCSN: 20100406103123.135808Z#00#000#00
 modifiersName: cn=admin,cn=config
 modifyTimestamp: 20100406103123Z


My ldap.conf is there in the first thread. Do you see any issues that I need
to take care? Anything you think I could be missing here?

Thanks
Shamika

On Mon, Jun 7, 2010 at 3:38 PM, Shamika Joshi shamika.jo...@gmail.comwrote:

 Thanks for the reply  details Adam
 I shall try matching my config to this  get back to you.

 thanks a ton
 Shamika


 On Sat, Jun 5, 2010 at 10:22 AM, Adam Hough a...@gradientzero.com wrote:

 My guess is that your config on the server is not right.  So it looks like
 you are using the slap.d which is what i am using as well.  (I need to
 upload some updated rpms I think to gradientzero as well).

 I used this site to help me get my configuration working
 http://www.zytrax.com/books/ldap/ch6/slapd-config.html

 So my directory structural looks like:

 NOTE: While you can edit these files through the filesystem I higly
 recommend that you edit the files through ldap commands.  I use Apache
 Directory Studio as my GUI type front end and use ldapvi when I just one to
 make changes to values already in the ldap server and then to make major
 changes I use ldapmodify to make them.

 PWD=/etc/openldap/slapd.d
 # ls -lR
 .:
 total 8
 drwxr-x--- 5 ldap ldap 4096 May 26 16:48 cn=config
 -rw--- 1 ldap ldap 1312 May 26 17:10 cn=config.ldif

 ./cn=config:
 total 100
 -rw--- 1 ldap ldap   575 Sep  1  2009 cn=module{0}.ldif
 drwxr-x--- 2 ldap ldap  4096 Mar  4 12:42 cn=schema
 

Re: Restricting client access using pam_groupdn with dynamic groups : Was[Re: restrict host login based on group]

[Howard Chu]

Shamika Joshi wrote:

Hi Adam,
sorry coz of workload it took me while to revisit my configuration  verify
things you mentioned. As far as I could understand things look quite in place.
I have pasted my configurations mapping exactly yours. Could you kindly take a
look at it for me pls?

PWD=/etc/openldap/slapd.d


This is not the way to list the contents of the config DB. cn=config is a 
slapd database, use slapcat or ldapsearch to dump its contents.


slapcat -n0

Use the documented tools. You cannot rely on the slapd internal file formats 
remaining in any particular shape or form.



# ls -lR
cn=config
cn=config.ldif

./cn=config:
../
cn=schema/
olcDatabase={0}config/
olcDatabase={1}hdb/
cn=module{0}.ldif
cn=schema.ldif
olcDatabase={-1}frontend.ldif
olcDatabase={0}config.ldif
olcDatabase={1}hdb.ldif


/cn=config/cn=schema:

adm...@x6:/etc/ldap$ sudo ls -ltr /etc/ldap/slapd.d/cn\=config/cn=schema
total 60
-rw-r- 1 openldap openldap 15474 2010-04-01 00:30 cn={0}core.ldif
-rw--- 1 openldap openldap 11316 2010-04-01 00:30 cn={1}cosine.ldif
-rw--- 1 openldap openldap  2810 2010-04-01 00:31 cn={2}inetorgperson.ldif
-rw--- 1 openldap openldap  6446 2010-04-01 00:31 cn={3}nis.ldif
-rw--- 1 openldap openldap 12510 2010-04-13 22:59 cn={4}samba.ldif
-rw--- 1 openldap openldap   468 2010-04-15 04:07 cn={5}hostobj.ldi


./cn=config/olcDatabase={0}config === i probably messed this up while trying
multimaster replication, but didnt knw the way how to delete these to left it
there thinking it will not anyway harm my dynlist config. pls correct me if
i'm wrong.

sudo ls /etc/ldap/slapd.d//cn=config/olcDatabase={0}config
olcOverlay={0}syncprov.ldif   olcOverlay={5}syncprov.ldif
olcOverlay={10}syncprov.ldif  olcOverlay={6}syncprov.ldif
olcOverlay={1}syncprov.ldif   olcOverlay={7}syncprov.ldif
olcOverlay={2}syncprov.ldif   olcOverlay={8}syncprov.ldif
olcOverlay={3}syncprov.ldif   olcOverlay={9}syncprov.ldif
olcOverlay={4}syncprov.ldif

adm...@x6:/etc/ldap$ sudo ls /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb
olcOverlay={0}dynlist.ldif


adm...@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: 342d7130-d1ac-102e-9cd4-e742ad24bbaf
creatorsName: cn=config
createTimestamp: 20100401073034Z
olcServerID: 1 ldap://x6.testlab.com http://x6.testlab.com
olcServerID: 2 ldap://x6slave.testlab.com http://x6slave.testlab.com
entryCSN: 20100415071243.393226Z#00#000#00
modifiersName: cn=admin,cn=config
modifyTimestamp: 20100415071243Z
contextCSN: 20100415110741.696825Z#00#000#00


# cat cn\=config/cn\=module\{0\}.ldif
dn: cn=module{0}

adm...@x6:/etc/ldap$ sudo cat
/etc/ldap/slapd.d/cn\=config/cn\=module\{0\}.ldif dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}dynlist.la http://dynlist.la
olcModuleLoad: {2}syncprov
structuralObjectClass: olcModuleList
entryUUID: d01365fa-d1ac-102e-845b-c590dd936017
creatorsName: cn=localroot,cn=config
createTimestamp: 20100401073455Z
entryCSN: 20100414110801.212307Z#00#000#00
modifiersName: cn=admin,cn=config
modifyTimestamp: 20100414110801Z

adm...@x6:/etc/ldap$ sudo cat

/etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb/olcOverlay\=\{0\}dynlist.ldif
dn: olcOverlay={0}dynlist
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcOverlay: {0}dynlist
olcDlAttrSet: {0}groupOfNames labeledURI member
structuralObjectClass: olcDynamicList
entryUUID: 4a9d0a38-d5b3-102e-8fe9-d7eabe4068a1
creatorsName: cn=admin,cn=config
createTimestamp: 20100406103123Z
entryCSN: 20100406103123.135808Z#00#000#00
modifiersName: cn=admin,cn=config
modifyTimestamp: 20100406103123Z


My ldap.conf is there in the first thread. Do you see any issues that I need
to take care? Anything you think I could be missing here?

Thanks
Shamika

On Mon, Jun 7, 2010 at 3:38 PM, Shamika Joshi shamika.jo...@gmail.com
mailto:shamika.jo...@gmail.com wrote:

Thanks for the reply  details Adam
I shall try matching my config to this  get back to you.

thanks a ton
Shamika


On Sat, Jun 5, 2010 at 10:22 AM, Adam Hough a...@gradientzero.com
mailto:a...@gradientzero.com wrote:

My guess is that your config on the server is not right.  So it looks
like you are using the slap.d which is what i am using as well.  (I
need to upload some updated rpms I think to gradientzero as well).

I used this site to help me get my configuration working
http://www.zytrax.com/books/ldap/ch6/slapd-config.html

So 

Re: Restricting client access using pam_groupdn with dynamic groups : Was[Re: restrict host login based on group]

[Adam Hough]

My guess is that your config on the server is not right.  So it looks like
you are using the slap.d which is what i am using as well.  (I need to
upload some updated rpms I think to gradientzero as well).

I used this site to help me get my configuration working
http://www.zytrax.com/books/ldap/ch6/slapd-config.html

So my directory structural looks like:

NOTE: While you can edit these files through the filesystem I higly
recommend that you edit the files through ldap commands.  I use Apache
Directory Studio as my GUI type front end and use ldapvi when I just one to
make changes to values already in the ldap server and then to make major
changes I use ldapmodify to make them.

PWD=/etc/openldap/slapd.d
# ls -lR
.:
total 8
drwxr-x--- 5 ldap ldap 4096 May 26 16:48 cn=config
-rw--- 1 ldap ldap 1312 May 26 17:10 cn=config.ldif

./cn=config:
total 100
-rw--- 1 ldap ldap   575 Sep  1  2009 cn=module{0}.ldif
drwxr-x--- 2 ldap ldap  4096 Mar  4 12:42 cn=schema
-rw--- 1 ldap ldap 61687 Sep  1  2009 cn=schema.ldif
drwxr-x--- 2 ldap ldap  4096 Sep  2  2009 olcDatabase={0}config
-rw--- 1 ldap ldap  2067 Nov 12  2009 olcDatabase={0}config.ldif
drwxr-x--- 2 ldap ldap  4096 Mar  4 11:36 olcDatabase={1}bdb
-rw--- 1 ldap ldap  4093 May 26 16:48 olcDatabase={1}bdb.ldif
-rw--- 1 ldap ldap  2041 May 21 13:31 olcDatabase={-1}frontend.ldif
-rw--- 1 ldap ldap   522 Sep  1  2009 olcDatabase={2}monitor.ldif

/cn=config/cn=schema:
...SCHEMAS in this directory deleted to make this shorter.


./cn=config/olcDatabase={0}config:
total 4
-rw--- 1 ldap ldap 385 Sep  1  2009 olcOverlay={0}syncprov.ldif

./cn=config/olcDatabase={1}bdb:
total 24
-rw--- 1 ldap ldap 385 Sep  1  2009 olcOverlay={0}syncprov.ldif
-rw--- 1 ldap ldap 474 Sep  2  2009 olcOverlay={1}ppolicy.ldif
-rw--- 1 ldap ldap 397 Sep  3  2009 olcOverlay={2}memberof.ldif
-rw--- 1 ldap ldap 494 Sep  2  2009 olcOverlay={3}refint.ldif
-rw--- 1 ldap ldap 425 Sep  9  2009 olcOverlay={4}dynlist.ldif
-rw--- 1 ldap ldap 530 Mar  4 11:36 olcOverlay={5}unique.ldif

Now for some listing of my ldifs that you thin you are needing to see.

# cat cn\=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigDir: /etc/openldap/slapd.d
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
olcTLSVerifyClient: never
structuralObjectClass: olcGlobal
olcTLSCACertificateFile: /etc/pki/certmaster/ca.cert
entryUUID: e686e389-d0eb-4987-a240-fee46028c0a6
creatorsName: cn=config
createTimestamp: 20090901234827Z
olcTLSCRLCheck: none
olcTLSCertificateFile: /etc/openldap/cacerts/server.cert
olcTLSCertificateKeyFile: /etc/openldap/cacerts/key.pem
olcServerID: 2 ldaps://2
olcServerID: 1 ldaps://1
olcServerID: 3 ldaps://3
olcPidFile: /var/run/openldap/slapd.pid
olcToolThreads: 1
olcThreads: 16

# cat cn\=config/cn\=module\{0\}.ldif
dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib64/openldap
olcModuleLoad: {0}dynlist.la
olcModuleLoad: {1}pcache.la
olcModuleLoad: {2}ppolicy.la
olcModuleLoad: {3}refint.la
olcModuleLoad: {4}retcode.la
olcModuleLoad: {5}syncprov.la
olcModuleLoad: {6}unique.la
olcModuleLoad: {7}memberof.la
structuralObjectClass: olcModuleList

# cat cn\=config/olcDatabase\=\{1\}bdb/olcOverlay\=\{4\}dynlist.ldif
dn: olcOverlay={4}dynlist
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcOverlay: {4}dynlist
structuralObjectClass: olcDynamicList


I think these should help you find where you have gone wrong with the
configuration of the slapd configuration.

So in my actual directory I have an ou=Systems,dc=domain,dc=ZZZ


cn=sysadmin,ou=Systems,dc=domain,dc=ZZZ
cn: sysadmin
objectClass: top
objectClass: groupOfNames
objectClass: labeledURIObject
member: uid=nobody,ou=People,dc=domain,dc=ZZZ
labeledURI: ldap:///ou=People,dc=domain,dc=ZZZ??one?(host=sysadmin)

The nobody user is a fake user that is in all my groups the user cannot
login the ladelURI says that if a use has host=sysadmin they should be in
this group.

/etc/ldap.conf:
pam_groupdn cn=sysadmin,ou=Systems,dc=domain,dc=ZZZ
pam_member_attribute member

Also note that I hacked my schema to allow the host attribute in the
PosixAccount users.


On Wed, Jun 2, 2010 at 7:06 AM, Shamika Joshi shamika.jo...@gmail.comwrote:

 Hi
 I've followed Adam's post below on 'using pam_groupdn to use dynlist' to my
 query posted couple of months back and after revisiting this configuration
 facing issue with doing ssh to client machine with dynamic member of the
 group. It works correctly for the static members of the same group.Could you
 figure out if I'm