Back with more info regarding this problem. For those just joining the thread, I'm having trouble finding evidence that 'pam_groupdn' in /etc/ldap.conf is even being seen, much less enforced on my Fedora box. I've seen nothing in the logs that shows a search for the group at all. I've double checked that the group exists, etc., etc. I've been learning and testing openldap for about a year now, and this one has me stumped, partially because I'm not sure how to figure out how to tell definitively if the variable is being rejected, or not seen... Here's my /etc/ldap.conf: ===================================== host ldap.my.domain,ldap2.my.domain base dc=my,dc=domain pam_filter objectclass=posixAccount pam_groupdn cn=techstaff,ou=Group,dc=my,dc=domain pam_member_attribute memberuid nss_base_passwd ou=People,dc=my,dc=domain?one nss_base_shadow ou=People,dc=my,dc=domain?one nss_base_group ou=Group,dc=my,dc=domain?one nss_base_netgroup ou=Netgroup,dc=my,dc=domain?one ssl start_tls pam_password md5 ======================================= And here's my /etc/pam.d/system-auth (used by sshd, which is my primary testing application) ======================================= #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account sufficient /lib/security/$ISA/pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so ==================================== rpm -qa | grep nss_ldap returns 'nss_ldap-207-3' glibc is glibc-2.3.2-101 My /etc/nsswitch.conf file has been played with a bit to test 'compat' functionality, which is also not functioning how I'd like - but that's very secondary. For normal testing (like, now), it looks pretty standard: passwd: files ldap shadow: files ldap group: files ldap Finally, here are the ldap logs chronicling a successful login attempt by someone in the appropriate group (they're no different from someone logging in who is *not* in the appropriate group, btw). =========================================================== Jan 7 10:36:29 ldap slapd[14646]: conn=201 fd=11 ACCEPT from IP=192.168.4.52:59061 (IP=0.0.0.0:389) Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=1 BIND dn="" method=128 Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=1 RESULT tag=97 err=0 text= Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=2 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=30252))" Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=3 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=30252))" Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=4 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=30252))" Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=5 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=30252))" Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=5 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=6 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=30252))" Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=6 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=7 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=30252))" Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=7 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jan 7 10:36:29 ldap slapd[14646]: conn=201 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:29 ldap slapd[14646]: conn=202 fd=18 ACCEPT from IP=192.168.33.55:33841 (IP=0.0.0.0:389) Jan 7 10:36:29 ldap slapd[14646]: conn=202 op=1 BIND dn="" method=128 Jan 7 10:36:29 ldap slapd[14646]: conn=202 op=1 RESULT tag=97 err=0 text= Jan 7 10:36:29 ldap slapd[14646]: conn=202 op=2 SRCH base="ou=Netgroup,dc=my,dc=domain" scope=1 filter="(&(objectClass=nisNetgroup)(cn=trusted_root))" Jan 7 10:36:29 ldap slapd[14646]: conn=202 op=2 SRCH attr=cn nisNetgroupTriple memberNisNetgroup Jan 7 10:36:29 ldap slapd[14646]: conn=202 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:29 ldap slapd[14646]: conn=202 op=3 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixAccount)(uid=jonesy))" Jan 7 10:36:29 ldap slapd[14646]: conn=202 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jan 7 10:36:29 ldap slapd[14646]: conn=202 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:29 ldap slapd[14646]: conn=202 fd=18 closed Jan 7 10:36:29 ldap slapd[14646]: conn=203 fd=18 ACCEPT from IP=192.168.33.55:33843 (IP=0.0.0.0:389) Jan 7 10:36:29 ldap slapd[14646]: conn=203 op=1 BIND dn="" method=128 Jan 7 10:36:29 ldap slapd[14646]: conn=203 op=1 RESULT tag=97 err=0 text= Jan 7 10:36:29 ldap slapd[14646]: conn=203 op=2 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixAccount)(uid=jonesy))" Jan 7 10:36:29 ldap slapd[14646]: conn=203 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jan 7 10:36:29 ldap slapd[14646]: conn=203 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:29 ldap slapd[14646]: conn=203 op=3 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=shadowAccount)(uid=jonesy))" Jan 7 10:36:29 ldap slapd[14646]: conn=203 op=3 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire Jan 7 10:36:29 ldap slapd[14646]: conn=203 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= =============================================== This is where I enter the password and press 'enter', and then the following occurrs. =============================================== Jan 7 10:36:44 ldap slapd[14646]: conn=203 op=4 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixAccount)(uid=jonesy))" Jan 7 10:36:44 ldap slapd[14646]: conn=203 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jan 7 10:36:44 ldap slapd[14646]: conn=203 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:44 ldap slapd[14646]: conn=203 op=5 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=shadowAccount)(uid=jonesy))" Jan 7 10:36:44 ldap slapd[14646]: conn=203 op=5 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire Jan 7 10:36:44 ldap slapd[14646]: conn=203 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:44 ldap slapd[14646]: conn=204 fd=19 ACCEPT from IP=192.168.33.55:33844 (IP=0.0.0.0:389) Jan 7 10:36:44 ldap slapd[14646]: conn=204 op=1 BIND dn="" method=128 Jan 7 10:36:44 ldap slapd[14646]: conn=204 op=1 RESULT tag=97 err=0 text= Jan 7 10:36:44 ldap slapd[14646]: conn=204 op=2 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixAccount)(uid=jonesy))" Jan 7 10:36:44 ldap slapd[14646]: conn=204 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:44 ldap slapd[14646]: conn=204 op=3 BIND dn="cn=jonesy,ou=People,dc=my,dc=domain" method=128 Jan 7 10:36:44 ldap slapd[14646]: conn=204 op=3 BIND dn="cn=jonesy,ou=People,dc=my,dc=domain" mech=simple ssf=0 Jan 7 10:36:44 ldap slapd[14646]: conn=204 op=3 RESULT tag=97 err=0 text= Jan 7 10:36:44 ldap slapd[14646]: conn=204 op=4 BIND anonymous mech=implicit ssf=0 Jan 7 10:36:44 ldap slapd[14646]: conn=204 op=4 BIND dn="" method=128 Jan 7 10:36:44 ldap slapd[14646]: conn=204 op=4 RESULT tag=97 err=0 text= Jan 7 10:36:44 ldap slapd[14646]: conn=203 fd=18 closed Jan 7 10:36:44 ldap slapd[14646]: conn=204 fd=19 closed Jan 7 10:36:44 ldap slapd[14646]: conn=205 fd=18 ACCEPT from IP=192.168.33.55:33846 (IP=0.0.0.0:389) Jan 7 10:36:44 ldap slapd[14646]: conn=205 op=1 BIND dn="" method=128 Jan 7 10:36:44 ldap slapd[14646]: conn=205 op=1 RESULT tag=97 err=0 text= Jan 7 10:36:44 ldap slapd[14646]: conn=205 op=2 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixAccount)(uid=jonesy))" Jan 7 10:36:44 ldap slapd[14646]: conn=205 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jan 7 10:36:44 ldap slapd[14646]: conn=205 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:44 ldap slapd[14646]: conn=205 op=3 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=shadowAccount)(uid=jonesy))" Jan 7 10:36:44 ldap slapd[14646]: conn=205 op=3 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire Jan 7 10:36:44 ldap slapd[14646]: conn=205 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:44 ldap slapd[14646]: conn=205 fd=18 closed Jan 7 10:36:44 ldap slapd[14646]: conn=206 fd=18 ACCEPT from IP=192.168.33.55:33847 (IP=0.0.0.0:389) Jan 7 10:36:44 ldap slapd[14646]: conn=206 op=1 BIND dn="" method=128 Jan 7 10:36:44 ldap slapd[14646]: conn=206 op=1 RESULT tag=97 err=0 text= Jan 7 10:36:44 ldap slapd[14646]: conn=206 op=2 SRCH base="dc=my,dc=domain" scope=2 filter="(uid=jonesy)" Jan 7 10:36:44 ldap slapd[14646]: conn=206 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:44 ldap slapd[14646]: conn=206 op=3 SRCH base="ou=Group,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixGroup)(|(memberUid=jonesy)(uniqueMember=cn=jonesy,ou=people,dc=my,dc=domain)))" Jan 7 10:36:44 ldap slapd[14646]: conn=206 op=3 SRCH attr=cn userPassword memberUid uniqueMember gidNumber Jan 7 10:36:44 ldap slapd[14646]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18) Jan 7 10:36:44 ldap slapd[14646]: conn=206 op=3 SEARCH RESULT tag=101 err=0 nentries=7 text= Jan 7 10:36:44 ldap slapd[14646]: conn=206 op=4 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixAccount)(uid=jonesy))" Jan 7 10:36:44 ldap slapd[14646]: conn=206 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jan 7 10:36:44 ldap slapd[14646]: conn=206 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:44 ldap slapd[14646]: conn=206 op=5 UNBIND Jan 7 10:36:44 ldap slapd[14646]: conn=206 fd=18 closed Jan 7 10:36:44 ldap slapd[14646]: conn=207 fd=18 ACCEPT from IP=192.168.33.55:33848 (IP=0.0.0.0:389) Jan 7 10:36:44 ldap slapd[14646]: conn=207 op=1 BIND dn="" method=128 Jan 7 10:36:44 ldap slapd[14646]: conn=207 op=1 RESULT tag=97 err=0 text= Jan 7 10:36:44 ldap slapd[14646]: conn=207 op=2 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=30252))" Jan 7 10:36:44 ldap slapd[14646]: conn=207 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jan 7 10:36:44 ldap slapd[14646]: conn=207 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:44 ldap slapd[14646]: conn=208 fd=19 ACCEPT from IP=192.168.33.55:33850 (IP=0.0.0.0:389) Jan 7 10:36:44 ldap slapd[14646]: conn=208 op=1 BIND dn="" method=128 Jan 7 10:36:44 ldap slapd[14646]: conn=208 op=1 RESULT tag=97 err=0 text= Jan 7 10:36:44 ldap slapd[14646]: conn=208 op=2 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixAccount)(uid=jonesy))" Jan 7 10:36:44 ldap slapd[14646]: conn=208 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jan 7 10:36:44 ldap slapd[14646]: conn=208 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:44 ldap slapd[14646]: conn=209 fd=20 ACCEPT from IP=192.168.33.55:33851 (IP=0.0.0.0:389) Jan 7 10:36:44 ldap slapd[14646]: conn=209 op=1 BIND dn="" method=128 Jan 7 10:36:44 ldap slapd[14646]: conn=209 op=1 RESULT tag=97 err=0 text= Jan 7 10:36:44 ldap slapd[14646]: conn=209 op=2 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=30252))" Jan 7 10:36:44 ldap slapd[14646]: conn=209 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jan 7 10:36:44 ldap slapd[14646]: conn=209 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:44 ldap slapd[14646]: conn=210 fd=21 ACCEPT from IP=192.168.33.55:33852 (IP=0.0.0.0:389) Jan 7 10:36:44 ldap slapd[14646]: conn=210 op=1 BIND dn="" method=128 Jan 7 10:36:44 ldap slapd[14646]: conn=210 op=1 RESULT tag=97 err=0 text= Jan 7 10:36:44 ldap slapd[14646]: conn=210 op=2 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=30252))" Jan 7 10:36:44 ldap slapd[14646]: conn=210 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jan 7 10:36:44 ldap slapd[14646]: conn=210 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:44 ldap slapd[14646]: conn=210 fd=21 closed Jan 7 10:36:44 ldap slapd[14646]: conn=211 fd=21 ACCEPT from IP=192.168.33.55:33853 (IP=0.0.0.0:389) Jan 7 10:36:44 ldap slapd[14646]: conn=211 op=1 BIND dn="" method=128 Jan 7 10:36:44 ldap slapd[14646]: conn=211 op=1 RESULT tag=97 err=0 text= Jan 7 10:36:44 ldap slapd[14646]: conn=211 op=2 SRCH base="ou=People,dc=my,dc=domain" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=30252))" Jan 7 10:36:44 ldap slapd[14646]: conn=211 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jan 7 10:36:44 ldap slapd[14646]: conn=211 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 7 10:36:44 ldap slapd[14646]: conn=211 fd=21 closed ==================================================== As you can see, there's nothing here that looks like it's searching for the group referenced in the ldap.conf file at all. Any clues? brian. On Tue, 2004-01-06 at 15:30, Bevan C. Bennett wrote: > Brian Jones wrote: > > Thanks a lot for the prompt reply. This is, essentially, what I'm trying > > to do. However, I'd rather do all the configuration in one place if I can. > > I think the main reason I ended up doing it with pam_access was for a > server where I need users to be able to authenticate (through pam_ldap) > to other services, but didn't want them logging in directly through ssh. > > IIRC, pam_groupdn will restrict access for all services that reference > pam_ldap. > > > My first choice is to do it using pam_groupdn, because then it's only > > one file that gets altered (/etc/ldap.conf). I don't really see a reason > > for it not to work, unless an RPM was goofed up or my config is wrong, > > which is hard to do being that it's ONE key/value pair. > > If I understand correctly, you haven't changed the LDAP server any, and > this works on a RH9 box with the same ldap.conf file? Do the pam_ldap > entries differ substantially between the two boxes in the relevant > /etc/pam.d/* files (probably system-auth)? > > > My second option is to use 'compat' mode and reference a netgroup > > (stored in LDAP) in my passwd/shadow files. This doesn't seem to be as > > straightforward as I thought it might be. I can see the searches going > > by for the netgroup, but the filter isn't being 'OR'd with a uid of any > > kind. > > That sounds nasty and kludgy. > > > Your idea is already on the list of stuff that I *can* do if I'm > > cornered, but this workaround doesn't address why the initial problem > > occurs. Option one was easy in RH 9, option 2 works in RH ES/AS/WS, > > option 3 will probably work, but this is horribly inconsistent and gives > > the appearance of flakiness. I was hoping not to have to tear open > > source rpms and code, but... > > Very true, but it's always good to have options. Why do you say that > using pam_access gives the appearance of flakiness? I've found it to be > robust on servers running RH7.3 through FC1. > > Let's see if we can narrow down your pam_groupdn problems better. > Discussing whether or not pam_groupdn is the best solution to your > particular environment is a rather different (although potentially > interesting) discussion that we can leave for later. > > -Bevan Bennett >
