|
»
»
»
Limiting users to login to specific hosts only
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
Limiting users to login to specific hosts only
by Alexander Skwar
::
Rate this Message:
Hello.
I'm trying to setup an OpenLDAP 2.3.31 server, which will be used to store authentication details for Unix users. As of right now, the only client machine is a Gentoo Linux system, which uses nss_ldap-254 and pam_ldap-183. OpenLDAP server is a Solaris 10 machine. To get things to work, I tried to follow the guide on <http://linsec.ca/bin/view/Main/OpenLDAPAuth#Host-based_Authentication>. As I don't want any user to be able to logon everywhere, I'm trying to setup what's called "Host-based Authentication" on that webpage. it says to add the following to /etc/ldap.conf: pam_check_host_attr yes pam_filter |(host=this.host.com)(host=\*) I replaced "this.host.com" with the some non-existant name to see, what happens. To my surprise, I was able to login using "su". So I changed the pam_filter line to: pam_filter (host=this.does.not.exist) I was still able to login using su. I guess I'm not understanding something correctly here. man pam_ldap has: pam_filter <filter> Specifies a filter to use when retrieving user information. The user entry must match the attribute value assertion of (pam_login_attribute=login_name) as well as any filter specified here. There is no default for this option. So, if I understand this correctly, a login should only be possible, if the user object in the LDAP server has an attribute "host" with the value set to "this.does.not.exist". Or does this mean something else? If it doesn't, then why does this not work for me? I also don't understand, why login works in the first place... In my ldap.conf, I've enabled "pam_check_host_attr". The man page has this to say: pam_check_host_attr <yes|no> Specifies whether the "host" attribute should be checked for logon authorization ("account" in the PAM stack). The default is not to. If set to "yes" and a user has no value for the "host" attribute, then the user will be unable to login. This user does NOT have a host attribute. Why is he able to login? askwar@winnb000488 ~ $ grep -v ^\# < /etc/ldap.conf | grep -v ^\$ host 10.0.1.26 base ou=Prj,o=Cmp rootbinddn cn=Admin,ou=Prj,o=Cmp scope one pam_filter host=this.host.com pam_login_attribute uid pam_check_host_attr yes pam_member_attribute gid nss_base_passwd ou=People,ou=Prj,o=Cmp?one nss_base_shadow ou=People,ou=Prj,o=Cmp?one nss_base_group ou=Group,ou=Prj,o=Cmp?one nss_base_hosts ou=Hosts,ou=Prj,o=Cmp?one nss_base_services ou=Services,ou=Prj,o=Cmp?one nss_base_networks ou=Networks,ou=Prj,o=Cmp?one nss_base_protocols ou=Protocols,ou=Prj,o=Cmp?one nss_base_rpc ou=Rpc,ou=Prj,o=Cmp?one nss_base_ethers ou=Ethers,ou=Prj,o=Cmp?one nss_base_netmasks ou=Networks,ou=Prj,o=Cmp?one nss_base_bootparams ou=Ethers,ou=Prj,o=Cmp?one nss_base_aliases ou=Aliases,ou=Prj,o=Cmp?one nss_base_netgroup ou=Netgroup,ou=Prj,o=Cmp?one nss_reconnect_tries 4 # number of times to double the sleep time nss_reconnect_sleeptime 1 # initial sleep value nss_reconnect_maxsleeptime 16 # max sleep value to cap at nss_reconnect_maxconntries 2 # how many tries before sleeping pam_password md5 askwar@winnb000488 ~ $ grep -v ^\# < /etc/pam.d/su | grep -v ^\$ auth sufficient pam_rootok.so auth required pam_wheel.so use_uid auth include system-auth account include system-auth password include system-auth session include system-auth session required pam_env.so session optional pam_xauth.so askwar@winnb000488 ~ $ grep -v ^\# < /etc/pam.d/system-auth | grep -v ^\$ auth required pam_env.so auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_ldap.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3 password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow password sufficient pam_ldap.so use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so session optional pam_ldap.so User object, as LDIF: version: 1 # LDIF Export von: uid=askwar3,ou=People,ou=RACE,o=Rieter # Erstellt von phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) am April 5, 2007 11:09 am # Server: RACE LDAP Server (winds06) # Suchbereich: base # Suchfilter: (objectClass=*) # Anzahl der Eintraege: 1 dn: uid=askwar3,ou=People,ou=Prj,o=Cmp cn: Alexander Skwar gecos: Alexander Skwar,alexander.skwar@ gidNumber: 10 givenName: Alexander loginShell: /opt/csw/bin/bash mail: askwar@... mailHost: mail1. mailRoutingAddress: askwar@mail1. objectClass: inetLocalMailRecipient objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount roomNumber: alexander.skwar@ shadowLastChange: 13503 sn: Skwar uid: askwar3 userPassword: {crypt}cd9HX834QkpsA homeDirectory: /home/askwar3 uidNumber: 33000 Alexander Skwar |
|
|
Re: Limiting users to login to specific hosts only
by Luiz Angelo
::
Rate this Message:
Alexander,
I currently use just pam_check_service_attr yes with the patch: http://bugzilla.padl.com/show_bug.cgi?id=295 This way one can use just authorizedService using the sintax "@host" or even "service@host" Increase the loglevel on your ldap server and check what is the search filter it is using when the user logs. This can help you.
|
|
|
Re: Limiting users to login to specific hosts only
by Hong Wang
::
Rate this Message:
Alexander,
I am working on OpenLDAP for Linux authentication now. Just set up "Host-Based Authentication". It works as expected. Just want to remind you that if you use both /etc/passwd file and ldap for user authentication, then when you test this you need to use a user that only exists in the LDAP server. Otherwise /etc/passwd will authenticate the user if ldap rejects that user's log in. I learned this by my experience here. Hope this helps and good luck. Hong Wang
|
|
|
Re: Limiting users to login to specific hosts only
by yp_
::
Rate this Message:
|
| Free Forum Powered by Nabble | Forum Help |