OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Resolved] Found a way of allowing pam_ldap users (with pam_groupdn or pam_check_host_attr restrictions), AND allowing local root authentication, without pam_unix.so taking presense due to getpwent() returns ldap-users

From: Daniel Bond (dbdanielbond.org)
Date: Thu Sep 06 2007 - 08:58:12 CDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I've been trying to get LDAP ssh authentication to work for a while, and
I found a bug (http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/116150) in
pam_unix.so, that breaks support for ldap-group/host-restrictions the
ldap-way.

I saw numerous emails about pam_groupdn-ldap-restrictions on the
mailinglists dating back to 2001, but no resolution for how to get it
playing, so this is a working fix, until pam_unix.so and pam_ldap.so
plays well together:

The recommended setup, UNIX and LDAP logins work, but
groupdn/check_host_attr restrictions dosn't:

account sufficient /usr/local/lib/pam_ldap.so
account required pam_login_access.so
account required pam_unix.so local_pass

You want only LDAP users, and no local root-account, this works:

account sufficient /usr/local/lib/pam_ldap.so
account required pam_login_access.so
account required pam_deny.so

This is what I ended up as a quickfix, until pam_unix.so is playing
right again:

# account
account sufficient /usr/local/lib/pam_ldap.so
account required pam_login_access.so
account required /usr/local/lib/pam_require.so root
account required pam_unix.so local_pass

This basicly restricts local accounts to the root-account, and honours
ldap-pam-restrictions, that a user should explicitly have access to the
machine. So one can still login with root-account if ldap-server(s) for
some reason isn't authenticating properly.

Hope this can be helpful to other users struggling with ldap-group/host
restrictions, and don't have to spend as much time as I did debuging it.

Regards,

Daniel Bond,
NSN ASA.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG4Ad0UR3pKhqN0EoRAheaAKCd7GRLVDzaa9NYkHY2+u5kNScV8gCeN21T
r8XHQNqJgB0tYIuZUTIrIf8=
=ChTy
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"