|

»

»

»

ldap group membership

View: New views

4 Messages — Rating Filter: Alert me

	ldap group membership by Tom Hodder :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, Is there a way to configure that the logging on user has to be a member of multiple groups to be able to login. I have a bunch of existing groups like; cn=Developers cn=Administrators cn=Managers and at the moment, all users can login to all the servers, as my pam_groupdn is like this; pam_groupdn cn=unixusergroup,etc,etc am I allowed to specify multiple "pam_groupdn" entries in the ldap.conf file? in order to require combined group memberships? Also is there a way from requiring group membership at the pam.d conf file configuration level, eg account require pam_groups_required.so groupname=cn=Developers etc, or something like that, as I think it would be easier to manage via the pam.d files than having entries in the ldap.conf files. (All I am trying to do is use ldap group membership to allow/deny pam logins) Any advice would be appreciated, Thanks, Tom
	RE: ldap group membership by Sturgis, Grant :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message > -----Original Message----- > From: owner-pamldap@... [mailto:owner-pamldap@...] > On Behalf Of Tom Hodder > Sent: Monday, February 06, 2006 8:47 PM > To: pamldap@... > Subject: [pamldap] ldap group membership > > Hi, > > Is there a way to configure that the logging on user has to > be a member > of multiple groups to be able to login. > > I have a bunch of existing groups like; > > cn=Developers > cn=Administrators > cn=Managers > > and at the moment, all users can login to all the servers, as my > pam_groupdn is like this; > > pam_groupdn cn=unixusergroup,etc,etc > > am I allowed to specify multiple "pam_groupdn" entries in the > ldap.conf > file? in order to require combined group memberships? > > Also is there a way from requiring group membership at the pam.d conf > file configuration level, eg > > account require pam_groups_required.so groupname=cn=Developers > > etc, or something like that, as I think it would be easier to > manage via > the pam.d files than having entries in the ldap.conf files. > (All I am trying to do is use ldap group membership to allow/deny pam > logins) > > Any advice would be appreciated, I use the pam_filter directive in ldap.conf. Here is an "or" statement: pam_filter \|(groupattribute=group1)(groupattribute=group2) and I think an "and" would just be: pam_filter &(groupattribute=group1)(groupattribute=group2) > > Thanks, > > Tom > HTH, -Grant > > > > > > > > > > > > > > This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
	newest libnss returns "no such user" (no seg-fault though) by Jason Morrill :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message OK, here's the latest in my libnss -> AD saga... I was getting a seg-fault with the Debian-Sarge installation of libnss-ldap so I thought I'd upgrade by compiling the latest libnss from PADL. I had to install the LDAP development libraries (libldap2-dev) in order to compile the source. After compiling without any extra switches I did a 'make install'. Now when I try to 'id <user>' it comes back "no such user". To me this is a step backward. I'd prefer to not have proper group resolution with a seg-fault over "no such user". I'm wondering if there are some compilation switches I'm missing? Or is there some super special library that I'm missing? For now I'm going back to the Debian package and commenting out the following line from /etc/libnss-ldap.conf: nss_map_objectclass posixGroup Group Thanks! Jason Morrill IT Manager Child & Family Agency of Southeastern Connecticut (860) 443-2896 x1422
	RE: ldap group membership by yp_ :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I have a patch for multiple pam_groupdn attributes that was created 5 years ago and was working since that time in relatively large environment. I've refreshed it recently (against v184). The patch was created by a programmer I worked with and I have his consent to share the patch with the community. Let me know (by email) is anyone is interested. Sturgis, Grant wrote: > -----Original Message----- > From: owner-pamldap@padl.com [mailto:owner-pamldap@padl.com] > On Behalf Of Tom Hodder > Sent: Monday, February 06, 2006 8:47 PM > To: pamldap@padl.com > Subject: [pamldap] ldap group membership > > Hi, > > Is there a way to configure that the logging on user has to > be a member > of multiple groups to be able to login. > > I have a bunch of existing groups like; > > cn=Developers > cn=Administrators > cn=Managers > > and at the moment, all users can login to all the servers, as my > pam_groupdn is like this; > > pam_groupdn cn=unixusergroup,etc,etc > > am I allowed to specify multiple "pam_groupdn" entries in the > ldap.conf > file? in order to require combined group memberships? > > Also is there a way from requiring group membership at the pam.d conf > file configuration level, eg > > account require pam_groups_required.so groupname=cn=Developers > > etc, or something like that, as I think it would be easier to > manage via > the pam.d files than having entries in the ldap.conf files. > (All I am trying to do is use ldap group membership to allow/deny pam > logins) > > Any advice would be appreciated, I use the pam_filter directive in ldap.conf. Here is an "or" statement: pam_filter \|(groupattribute=group1)(groupattribute=group2) and I think an "and" would just be: pam_filter &(groupattribute=group1)(groupattribute=group2) > > Thanks, > > Tom > HTH, -Grant > > > > > > > > > > > > > > This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.