Re: Restricting client access using pam_groupdn with dynamic groups : Was[Re: restrict host login based on group]
On Mon, Jun 14, 2010 at 12:32 AM, Shamika Joshi shamika.jo...@gmail.comwrote: Ya here it is ...output of slapcat attached. Please let me knw if u could see anything missing from this. Thanks regards Shamika Howard, I will remember that. I always use the ldap commands normally since I have a 3 way multi-master mirror setup. Shamika, Just in case i get to busy this week to look at your config here is the slapcat of my configuration with any sensitive information removed. http://www.gradientzero.com/openldap/Example_config/config.ldif.gz (I am sure that my is not 100% optimal but it is currently working for me.)
Re: Restricting client access using pam_groupdn with dynamic groups : Was[Re: restrict host login based on group]
Hi Adam, sorry coz of workload it took me while to revisit my configuration verify things you mentioned. As far as I could understand things look quite in place. I have pasted my configurations mapping exactly yours. Could you kindly take a look at it for me pls? PWD=/etc/openldap/slapd.d # ls -lR cn=config cn=config.ldif ./cn=config: ../ cn=schema/ olcDatabase={0}config/ olcDatabase={1}hdb/ cn=module{0}.ldif cn=schema.ldif olcDatabase={-1}frontend.ldif olcDatabase={0}config.ldif olcDatabase={1}hdb.ldif /cn=config/cn=schema: adm...@x6:/etc/ldap$ sudo ls -ltr /etc/ldap/slapd.d/cn\=config/cn=schema total 60 -rw-r- 1 openldap openldap 15474 2010-04-01 00:30 cn={0}core.ldif -rw--- 1 openldap openldap 11316 2010-04-01 00:30 cn={1}cosine.ldif -rw--- 1 openldap openldap 2810 2010-04-01 00:31 cn={2}inetorgperson.ldif -rw--- 1 openldap openldap 6446 2010-04-01 00:31 cn={3}nis.ldif -rw--- 1 openldap openldap 12510 2010-04-13 22:59 cn={4}samba.ldif -rw--- 1 openldap openldap 468 2010-04-15 04:07 cn={5}hostobj.ldi ./cn=config/olcDatabase={0}config === i probably messed this up while trying multimaster replication, but didnt knw the way how to delete these to left it there thinking it will not anyway harm my dynlist config. pls correct me if i'm wrong. sudo ls /etc/ldap/slapd.d//cn=config/olcDatabase={0}config olcOverlay={0}syncprov.ldif olcOverlay={5}syncprov.ldif olcOverlay={10}syncprov.ldif olcOverlay={6}syncprov.ldif olcOverlay={1}syncprov.ldif olcOverlay={7}syncprov.ldif olcOverlay={2}syncprov.ldif olcOverlay={8}syncprov.ldif olcOverlay={3}syncprov.ldif olcOverlay={9}syncprov.ldif olcOverlay={4}syncprov.ldif adm...@x6:/etc/ldap$ sudo ls /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb olcOverlay={0}dynlist.ldif adm...@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 342d7130-d1ac-102e-9cd4-e742ad24bbaf creatorsName: cn=config createTimestamp: 20100401073034Z olcServerID: 1 ldap://x6.testlab.com olcServerID: 2 ldap://x6slave.testlab.com entryCSN: 20100415071243.393226Z#00#000#00 modifiersName: cn=admin,cn=config modifyTimestamp: 20100415071243Z contextCSN: 20100415110741.696825Z#00#000#00 # cat cn\=config/cn\=module\{0\}.ldif dn: cn=module{0} adm...@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config/cn\=module\{0\}.ldif dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb olcModuleLoad: {1}dynlist.la olcModuleLoad: {2}syncprov structuralObjectClass: olcModuleList entryUUID: d01365fa-d1ac-102e-845b-c590dd936017 creatorsName: cn=localroot,cn=config createTimestamp: 20100401073455Z entryCSN: 20100414110801.212307Z#00#000#00 modifiersName: cn=admin,cn=config modifyTimestamp: 20100414110801Z adm...@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb/olcOverlay\=\{0\}dynlist.ldif dn: olcOverlay={0}dynlist objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: {0}dynlist olcDlAttrSet: {0}groupOfNames labeledURI member structuralObjectClass: olcDynamicList entryUUID: 4a9d0a38-d5b3-102e-8fe9-d7eabe4068a1 creatorsName: cn=admin,cn=config createTimestamp: 20100406103123Z entryCSN: 20100406103123.135808Z#00#000#00 modifiersName: cn=admin,cn=config modifyTimestamp: 20100406103123Z My ldap.conf is there in the first thread. Do you see any issues that I need to take care? Anything you think I could be missing here? Thanks Shamika On Mon, Jun 7, 2010 at 3:38 PM, Shamika Joshi shamika.jo...@gmail.comwrote: Thanks for the reply details Adam I shall try matching my config to this get back to you. thanks a ton Shamika On Sat, Jun 5, 2010 at 10:22 AM, Adam Hough a...@gradientzero.com wrote: My guess is that your config on the server is not right. So it looks like you are using the slap.d which is what i am using as well. (I need to upload some updated rpms I think to gradientzero as well). I used this site to help me get my configuration working http://www.zytrax.com/books/ldap/ch6/slapd-config.html So my directory structural looks like: NOTE: While you can edit these files through the filesystem I higly recommend that you edit the files through ldap commands. I use Apache Directory Studio as my GUI type front end and use ldapvi when I just one to make changes to values already in the ldap server and then to make major changes I use ldapmodify to make them. PWD=/etc/openldap/slapd.d # ls -lR .: total 8 drwxr-x--- 5 ldap ldap 4096 May 26 16:48 cn=config -rw--- 1 ldap ldap 1312 May 26 17:10 cn=config.ldif ./cn=config: total 100 -rw--- 1 ldap ldap 575 Sep 1 2009 cn=module{0}.ldif drwxr-x--- 2 ldap ldap 4096 Mar 4 12:42 cn=schema
Re: Restricting client access using pam_groupdn with dynamic groups : Was[Re: restrict host login based on group]
Shamika Joshi wrote: Hi Adam, sorry coz of workload it took me while to revisit my configuration verify things you mentioned. As far as I could understand things look quite in place. I have pasted my configurations mapping exactly yours. Could you kindly take a look at it for me pls? PWD=/etc/openldap/slapd.d This is not the way to list the contents of the config DB. cn=config is a slapd database, use slapcat or ldapsearch to dump its contents. slapcat -n0 Use the documented tools. You cannot rely on the slapd internal file formats remaining in any particular shape or form. # ls -lR cn=config cn=config.ldif ./cn=config: ../ cn=schema/ olcDatabase={0}config/ olcDatabase={1}hdb/ cn=module{0}.ldif cn=schema.ldif olcDatabase={-1}frontend.ldif olcDatabase={0}config.ldif olcDatabase={1}hdb.ldif /cn=config/cn=schema: adm...@x6:/etc/ldap$ sudo ls -ltr /etc/ldap/slapd.d/cn\=config/cn=schema total 60 -rw-r- 1 openldap openldap 15474 2010-04-01 00:30 cn={0}core.ldif -rw--- 1 openldap openldap 11316 2010-04-01 00:30 cn={1}cosine.ldif -rw--- 1 openldap openldap 2810 2010-04-01 00:31 cn={2}inetorgperson.ldif -rw--- 1 openldap openldap 6446 2010-04-01 00:31 cn={3}nis.ldif -rw--- 1 openldap openldap 12510 2010-04-13 22:59 cn={4}samba.ldif -rw--- 1 openldap openldap 468 2010-04-15 04:07 cn={5}hostobj.ldi ./cn=config/olcDatabase={0}config === i probably messed this up while trying multimaster replication, but didnt knw the way how to delete these to left it there thinking it will not anyway harm my dynlist config. pls correct me if i'm wrong. sudo ls /etc/ldap/slapd.d//cn=config/olcDatabase={0}config olcOverlay={0}syncprov.ldif olcOverlay={5}syncprov.ldif olcOverlay={10}syncprov.ldif olcOverlay={6}syncprov.ldif olcOverlay={1}syncprov.ldif olcOverlay={7}syncprov.ldif olcOverlay={2}syncprov.ldif olcOverlay={8}syncprov.ldif olcOverlay={3}syncprov.ldif olcOverlay={9}syncprov.ldif olcOverlay={4}syncprov.ldif adm...@x6:/etc/ldap$ sudo ls /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb olcOverlay={0}dynlist.ldif adm...@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 342d7130-d1ac-102e-9cd4-e742ad24bbaf creatorsName: cn=config createTimestamp: 20100401073034Z olcServerID: 1 ldap://x6.testlab.com http://x6.testlab.com olcServerID: 2 ldap://x6slave.testlab.com http://x6slave.testlab.com entryCSN: 20100415071243.393226Z#00#000#00 modifiersName: cn=admin,cn=config modifyTimestamp: 20100415071243Z contextCSN: 20100415110741.696825Z#00#000#00 # cat cn\=config/cn\=module\{0\}.ldif dn: cn=module{0} adm...@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config/cn\=module\{0\}.ldif dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb olcModuleLoad: {1}dynlist.la http://dynlist.la olcModuleLoad: {2}syncprov structuralObjectClass: olcModuleList entryUUID: d01365fa-d1ac-102e-845b-c590dd936017 creatorsName: cn=localroot,cn=config createTimestamp: 20100401073455Z entryCSN: 20100414110801.212307Z#00#000#00 modifiersName: cn=admin,cn=config modifyTimestamp: 20100414110801Z adm...@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb/olcOverlay\=\{0\}dynlist.ldif dn: olcOverlay={0}dynlist objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: {0}dynlist olcDlAttrSet: {0}groupOfNames labeledURI member structuralObjectClass: olcDynamicList entryUUID: 4a9d0a38-d5b3-102e-8fe9-d7eabe4068a1 creatorsName: cn=admin,cn=config createTimestamp: 20100406103123Z entryCSN: 20100406103123.135808Z#00#000#00 modifiersName: cn=admin,cn=config modifyTimestamp: 20100406103123Z My ldap.conf is there in the first thread. Do you see any issues that I need to take care? Anything you think I could be missing here? Thanks Shamika On Mon, Jun 7, 2010 at 3:38 PM, Shamika Joshi shamika.jo...@gmail.com mailto:shamika.jo...@gmail.com wrote: Thanks for the reply details Adam I shall try matching my config to this get back to you. thanks a ton Shamika On Sat, Jun 5, 2010 at 10:22 AM, Adam Hough a...@gradientzero.com mailto:a...@gradientzero.com wrote: My guess is that your config on the server is not right. So it looks like you are using the slap.d which is what i am using as well. (I need to upload some updated rpms I think to gradientzero as well). I used this site to help me get my configuration working http://www.zytrax.com/books/ldap/ch6/slapd-config.html So
Re: Restricting client access using pam_groupdn with dynamic groups : Was[Re: restrict host login based on group]
My guess is that your config on the server is not right. So it looks like you are using the slap.d which is what i am using as well. (I need to upload some updated rpms I think to gradientzero as well). I used this site to help me get my configuration working http://www.zytrax.com/books/ldap/ch6/slapd-config.html So my directory structural looks like: NOTE: While you can edit these files through the filesystem I higly recommend that you edit the files through ldap commands. I use Apache Directory Studio as my GUI type front end and use ldapvi when I just one to make changes to values already in the ldap server and then to make major changes I use ldapmodify to make them. PWD=/etc/openldap/slapd.d # ls -lR .: total 8 drwxr-x--- 5 ldap ldap 4096 May 26 16:48 cn=config -rw--- 1 ldap ldap 1312 May 26 17:10 cn=config.ldif ./cn=config: total 100 -rw--- 1 ldap ldap 575 Sep 1 2009 cn=module{0}.ldif drwxr-x--- 2 ldap ldap 4096 Mar 4 12:42 cn=schema -rw--- 1 ldap ldap 61687 Sep 1 2009 cn=schema.ldif drwxr-x--- 2 ldap ldap 4096 Sep 2 2009 olcDatabase={0}config -rw--- 1 ldap ldap 2067 Nov 12 2009 olcDatabase={0}config.ldif drwxr-x--- 2 ldap ldap 4096 Mar 4 11:36 olcDatabase={1}bdb -rw--- 1 ldap ldap 4093 May 26 16:48 olcDatabase={1}bdb.ldif -rw--- 1 ldap ldap 2041 May 21 13:31 olcDatabase={-1}frontend.ldif -rw--- 1 ldap ldap 522 Sep 1 2009 olcDatabase={2}monitor.ldif /cn=config/cn=schema: ...SCHEMAS in this directory deleted to make this shorter. ./cn=config/olcDatabase={0}config: total 4 -rw--- 1 ldap ldap 385 Sep 1 2009 olcOverlay={0}syncprov.ldif ./cn=config/olcDatabase={1}bdb: total 24 -rw--- 1 ldap ldap 385 Sep 1 2009 olcOverlay={0}syncprov.ldif -rw--- 1 ldap ldap 474 Sep 2 2009 olcOverlay={1}ppolicy.ldif -rw--- 1 ldap ldap 397 Sep 3 2009 olcOverlay={2}memberof.ldif -rw--- 1 ldap ldap 494 Sep 2 2009 olcOverlay={3}refint.ldif -rw--- 1 ldap ldap 425 Sep 9 2009 olcOverlay={4}dynlist.ldif -rw--- 1 ldap ldap 530 Mar 4 11:36 olcOverlay={5}unique.ldif Now for some listing of my ldifs that you thin you are needing to see. # cat cn\=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcConfigDir: /etc/openldap/slapd.d olcAttributeOptions: lang- olcAuthzPolicy: none olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2 olcTLSVerifyClient: never structuralObjectClass: olcGlobal olcTLSCACertificateFile: /etc/pki/certmaster/ca.cert entryUUID: e686e389-d0eb-4987-a240-fee46028c0a6 creatorsName: cn=config createTimestamp: 20090901234827Z olcTLSCRLCheck: none olcTLSCertificateFile: /etc/openldap/cacerts/server.cert olcTLSCertificateKeyFile: /etc/openldap/cacerts/key.pem olcServerID: 2 ldaps://2 olcServerID: 1 ldaps://1 olcServerID: 3 ldaps://3 olcPidFile: /var/run/openldap/slapd.pid olcToolThreads: 1 olcThreads: 16 # cat cn\=config/cn\=module\{0\}.ldif dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib64/openldap olcModuleLoad: {0}dynlist.la olcModuleLoad: {1}pcache.la olcModuleLoad: {2}ppolicy.la olcModuleLoad: {3}refint.la olcModuleLoad: {4}retcode.la olcModuleLoad: {5}syncprov.la olcModuleLoad: {6}unique.la olcModuleLoad: {7}memberof.la structuralObjectClass: olcModuleList # cat cn\=config/olcDatabase\=\{1\}bdb/olcOverlay\=\{4\}dynlist.ldif dn: olcOverlay={4}dynlist objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: {4}dynlist structuralObjectClass: olcDynamicList I think these should help you find where you have gone wrong with the configuration of the slapd configuration. So in my actual directory I have an ou=Systems,dc=domain,dc=ZZZ cn=sysadmin,ou=Systems,dc=domain,dc=ZZZ cn: sysadmin objectClass: top objectClass: groupOfNames objectClass: labeledURIObject member: uid=nobody,ou=People,dc=domain,dc=ZZZ labeledURI: ldap:///ou=People,dc=domain,dc=ZZZ??one?(host=sysadmin) The nobody user is a fake user that is in all my groups the user cannot login the ladelURI says that if a use has host=sysadmin they should be in this group. /etc/ldap.conf: pam_groupdn cn=sysadmin,ou=Systems,dc=domain,dc=ZZZ pam_member_attribute member Also note that I hacked my schema to allow the host attribute in the PosixAccount users. On Wed, Jun 2, 2010 at 7:06 AM, Shamika Joshi shamika.jo...@gmail.comwrote: Hi I've followed Adam's post below on 'using pam_groupdn to use dynlist' to my query posted couple of months back and after revisiting this configuration facing issue with doing ssh to client machine with dynamic member of the group. It works correctly for the static members of the same group.Could you figure out if I'm