Thanks a lot for the prompt reply. This is, essentially, what I'm trying to do. However, I'd rather do all the configuration in one place if I can.
I think the main reason I ended up doing it with pam_access was for a server where I need users to be able to authenticate (through pam_ldap) to other services, but didn't want them logging in directly through ssh.
IIRC, pam_groupdn will restrict access for all services that reference pam_ldap.
My first choice is to do it using pam_groupdn, because then it's only one file that gets altered (/etc/ldap.conf). I don't really see a reason for it not to work, unless an RPM was goofed up or my config is wrong, which is hard to do being that it's ONE key/value pair.
If I understand correctly, you haven't changed the LDAP server any, and this works on a RH9 box with the same ldap.conf file? Do the pam_ldap entries differ substantially between the two boxes in the relevant /etc/pam.d/* files (probably system-auth)?
My second option is to use 'compat' mode and reference a netgroup (stored in LDAP) in my passwd/shadow files. This doesn't seem to be as straightforward as I thought it might be. I can see the searches going by for the netgroup, but the filter isn't being 'OR'd with a uid of any kind.
That sounds nasty and kludgy.
Your idea is already on the list of stuff that I *can* do if I'm cornered, but this workaround doesn't address why the initial problem occurs. Option one was easy in RH 9, option 2 works in RH ES/AS/WS, option 3 will probably work, but this is horribly inconsistent and gives the appearance of flakiness. I was hoping not to have to tear open source rpms and code, but...
Very true, but it's always good to have options. Why do you say that using pam_access gives the appearance of flakiness? I've found it to be robust on servers running RH7.3 through FC1.
Let's see if we can narrow down your pam_groupdn problems better. Discussing whether or not pam_groupdn is the best solution to your particular environment is a rather different (although potentially interesting) discussion that we can leave for later.
-Bevan Bennett
