| View previous topic :: View next topic |
| Author |
Message |
ganiman
n00b
Joined: 11 Nov 2003
Posts: 28
|
 Posted: Sun Feb 15, 2009 4:47 pm Post subject: [SOLVED] pam_groupdn not working |
 |
|
I have openldap authentication running on 30+ servers. I am now trying to restrict who can log into which server based on groups in openldap. I put a pam_groupdn entry in my ldap.conf. If a user qis in the group, they can log in fine. If a user is not in the group, they get:
| Code: | You must be a memberUid of cn=myserever,ou=hosts,dc=domain,dc=com to login.
Last login: Sun Feb 15 11:12:16 2009 from xxx.xxx.xxx.xxx
ganiman@myserver ~ $ |
It gives the user a message saying they must be a member of the group to log in, but then it still allows the user to log in. This is not the behavior I would expect to see, especially when it gives the message that you must be a member of the group to log in. I'm thinking the problem lies somewhere in something in /etc/pam.d, but I cannot figure what it is.
In ldap.conf I have:
| Code: | | pam_groupdn cn=myserver,ou=hosts,dc=domain,dc=com |
pam.d/system-auth looks like:
| Code: | auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account sufficient pam_ldap.so
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
password sufficient pam_ldap.so use_authtok use_first_pass
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel/ |
_________________
Ganiman
Last edited by ganiman on Sun Mar 01, 2009 3:33 am; edited 1 time in total |
|
| Back to top |
|
 |
pianosaurus
l33t
Joined: 19 Apr 2004
Posts: 944
Location: Bash$
|
| Posted: Mon Feb 16, 2009 1:44 pm Post subject: |
|
|
| ganiman wrote: | | Code: | auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so |
|
If I understand PAM correctly (and I believe I do), this is how the above would work:
1: pam_env.so succeeds. It always does.
2: Try pam unix.so. Since it is 'sufficient', success in this stage means login is successful, regardless of later modules.
3: Try pam_ldap.so, since pam_unix.so failed. Both are sufficient, so pam_ldap.so can 'correct' pam_unix' failure. If it succeeds, the login succeeds (like step 2).
4: pam_deny.so fails. It always does.
Note that all modules are run regardless of their output (so users cannot tell which module failed). It is only what module outputs are used that changes. This explains the message you get.
pam_ldap.so prints a message because it failed, but since pam_unix.so already succeeded, its output isn't used.
So the question becomes: How do you want this to work, exactly? Do you want local login to be possible at all?
_________________
PKA Cuber
Please add [SOLVED] to the subject of your original post when you feel that your problem is resolved.
Adopt an unanswered post |
|
| Back to top |
|
|
ganiman
n00b
Joined: 11 Nov 2003
Posts: 28
|
| Posted: Mon Feb 16, 2009 2:13 pm Post subject: |
|
|
| Cuber wrote: | | So the question becomes: How do you want this to work, exactly? Do you want local login to be possible at all? |
I want local login to work, just in case communication is lost with the ldap server for some reason. The servers I maintain are spread all over the country, and physical access to machines is not a luxery I have, so I need to make sure there is some kind of back up way to log in.
_________________
Ganiman |
|
| Back to top |
|
|
pianosaurus
l33t
Joined: 19 Apr 2004
Posts: 944
Location: Bash$
|
| Posted: Mon Feb 16, 2009 2:34 pm Post subject: |
|
|
Hm. So you need to know HOW pam_ldap.so failed, then. Don't allow login if LDAP authentication failed, but allow local login if connection is lost? I don't know if that is possible in PAM. And if it is, it would also allow local login to anyone who can pull out the network cable.
_________________
PKA Cuber
Please add [SOLVED] to the subject of your original post when you feel that your problem is resolved.
Adopt an unanswered post |
|
| Back to top |
|
|
ganiman
n00b
Joined: 11 Nov 2003
Posts: 28
|
| Posted: Mon Feb 16, 2009 3:15 pm Post subject: |
|
|
Well, I would always allow local login, even if the ldap server is reachable, so I'm not too worried about someone attempting a local login if they unplug the box. At that point, whoever had physical access could pop in a live CD and get access to the box anyway... that type of security is another issue all together and isn't solvable by software.
So, how can I adjust the pam module settings to allow for both local login (pam_unix) and ldap login (pam_ldap)? If I try to log in with an ldap account, pam_unix should fail, and pam_ldap should check group membership and then fail or not fail depending on the results of that search. This should be possible, and not hard, I'm just not as good with pam modules as I wish I were.
_________________
Ganiman |
|
| Back to top |
|
|
ganiman
n00b
Joined: 11 Nov 2003
Posts: 28
|
| Posted: Thu Feb 19, 2009 9:25 pm Post subject: |
|
|
Still not having any luck with this. I have tried various pam configurations with no success. The best I can do is either lock everyone out of a host, or display the message stating you must belong to a group which still allows you to log in.
_________________
Ganiman |
|
| Back to top |
|
|
pianosaurus
l33t
Joined: 19 Apr 2004
Posts: 944
Location: Bash$
|
| Posted: Thu Feb 19, 2009 11:00 pm Post subject: |
|
|
I've been reading a bit about the LDAP module. Could you try this:
| Code: | auth required pam_env.so
auth required pam_ldap.so try_first_pass ignore_authinfo_unavail
auth sufficient pam_unix.so use_first_pass likeauth nullok
auth required pam_deny.so |
This is how it works (but test it out thoroughly):
If LDAP connection is successful, the users password is tested against both LDAP and local. Both must succeed for login to be successful.
If LDAP connection is not successful, it is ignored, and only local login is required.
_________________
PKA Cuber
Please add [SOLVED] to the subject of your original post when you feel that your problem is resolved.
Adopt an unanswered post |
|
| Back to top |
|
|
ganiman
n00b
Joined: 11 Nov 2003
Posts: 28
|
| Posted: Fri Feb 20, 2009 2:47 pm Post subject: |
|
|
Thanks for the suggestion, but it did not work 
No one can log in with this set up. I don't get any error message from pam_ldap.so when the user is not in the group, and if you are in the group you still cannot log in. Logs only show: "error: PAM: Authentication failure for username"
_________________
Ganiman |
|
| Back to top |
|
|
pianosaurus
l33t
Joined: 19 Apr 2004
Posts: 944
Location: Bash$
|
| Posted: Fri Feb 20, 2009 10:25 pm Post subject: |
|
|
Hmm. That doesn't make any sense. Did anything else change from you first post? Also, I swapped the order of ldap and unix in my last post, and note the difference between try_first_pass and use_first_pass.
Maybe you could try with only ldap set to sufficient (no unix), just to see that ldap authentication still works.
_________________
PKA Cuber
Please add [SOLVED] to the subject of your original post when you feel that your problem is resolved.
Adopt an unanswered post |
|
| Back to top |
|
|
ganiman
n00b
Joined: 11 Nov 2003
Posts: 28
|
| Posted: Wed Feb 25, 2009 4:16 pm Post subject: |
|
|
If I remove pam_unix.so and set pam_ldap.so to sufficient, I get the same behavior. The ldap accounts work, but the still work even if they are not part of the group. I still get the message "You must be a uniquemember of cn=myhost,ou=hosts,dc=mydomain,dc=com to login" even though it allows the user account to log in.
I would like to see the system-auth of someone who has this working, even from another distro would be helpful.
_________________
Ganiman |
|
| Back to top |
|
|
ganiman
n00b
Joined: 11 Nov 2003
Posts: 28
|
| Posted: Wed Feb 25, 2009 4:39 pm Post subject: |
|
|
I made a little more progress. It seems that it is pam's account section that needs to be fixed, not the auth section.
The following is what I had, which gave the error message but still allowed non group members to log in: | Code: | account sufficient pam_ldap.so
account sufficient pam_unix.so |
The follow is what I've changed it to, removing the pam_unix line, which allows group members and denies non group members: | Code: | | account required pam_ldap.so |
Now, in the second example, I can no longer log in with local accounts either. It seems I've made it work a little too good, and now I need to find the middle ground.
_________________
Ganiman |
|
| Back to top |
|
|
pianosaurus
l33t
Joined: 19 Apr 2004
Posts: 944
Location: Bash$
|
| Posted: Wed Feb 25, 2009 11:25 pm Post subject: |
|
|
Aha. The account section specifies which accounts are allowed on the system, but does no authentication. Try this in the account section:
| Code: | account required pam_ldap.so ignore_authinfo_unavail
account required pam_unix.so |
If all account exist locally with the correct password, you don't even need the pam_ldap in the auth. The ldap will only be used to check login permission, and only local password checking will be performed.
Edit: Changed one sufficient to required.
_________________
PKA Cuber
Please add [SOLVED] to the subject of your original post when you feel that your problem is resolved.
Adopt an unanswered post |
|
| Back to top |
|
|
ganiman
n00b
Joined: 11 Nov 2003
Posts: 28
|
| Posted: Thu Feb 26, 2009 3:39 am Post subject: |
|
|
| Code: | account required pam_ldap.so ignore_authinfo_unavail
account required pam_unix.so |
Those settings allow me to log in with an ldap account in the proper group just fine. However, when I try a local account I get:
| Quote: | | User not known to the underlying authentication module. |
_________________
Ganiman |
|
| Back to top |
|
|
pianosaurus
l33t
Joined: 19 Apr 2004
Posts: 944
Location: Bash$
|
| Posted: Thu Feb 26, 2009 5:28 pm Post subject: |
|
|
It seems I'm still learning new things about your requirements. I thought the whole idea was to refuse local login when LDAP was available.
Do the LDAP and local users overlap at all? Are all LDAP users also local? You could tell LDAP to ignore users that doesn't exist, but I don't know if that is what you want:
| Code: | | account required pam_ldap.so ignore_authinfo_unavail ignore_unknown_user |
_________________
PKA Cuber
Please add [SOLVED] to the subject of your original post when you feel that your problem is resolved.
Adopt an unanswered post |
|
| Back to top |
|
|
ganiman
n00b
Joined: 11 Nov 2003
Posts: 28
|
| Posted: Sun Mar 01, 2009 3:33 am Post subject: |
|
|
Looks like that worked, thanks!. I am now able to log in with a local account or an ldap account which is a member of a specific group. This is exactly the behavior I was looking for.
Here is my system-auth:
| Code: | auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_ldap.so ignore_authinfo_unavail ignore_unknown_user
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
password sufficient pam_ldap.so use_authtok use_first_pass
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel/ |
_________________
Ganiman |
|
| Back to top |
|
|
|
Networking & Security
