Comments on: LDAP-Based Access Control http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/ The weblog of an IT pro specializing in virtualization, storage, and servers Thu, 20 Nov 2008 11:26:22 +0000 http://wordpress.org/?v=2.6 By: Frank http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/#comment-40068 Frank Tue, 15 Jul 2008 21:38:16 +0000 http://blog.scottlowe.org/?p=331#comment-40068 Scott, Great post! Refer to it all the time! Very interested in finding an answer to the Solaris question of access control when integrated with R2 AD. Can this be done? Can I restrict by using a single access group (such as solaris1) per Solaris server, or even migrate all Solaris groups to AD? Need to have some access control in place. Any ideas? Pointers? Thanks! Scott,
Great post! Refer to it all the time! Very interested in finding an answer to the Solaris question of access control when integrated with R2 AD. Can this be done? Can I restrict by using a single access group (such as solaris1) per Solaris server, or even migrate all Solaris groups to AD? Need to have some access control in place. Any ideas? Pointers?

Thanks!

]]> By: jd http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/#comment-39559 jd Tue, 24 Jun 2008 18:22:40 +0000 http://blog.scottlowe.org/?p=331#comment-39559 Scott that did the job, thanks a million. My remote root access was killed but I should be able to fix it. It doesn't look like nested groups work so I'm going to look into that and getting this done on solaris 10 next. If I find anything interesting, I'll be sure to post. Thanks again and great blog. Scott that did the job, thanks a million. My remote root access was killed but I should be able to fix it.

It doesn’t look like nested groups work so I’m going to look into that and getting this done on solaris 10 next. If I find anything interesting, I’ll be sure to post. Thanks again and great blog.

]]> By: slowe http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/#comment-39552 slowe Tue, 24 Jun 2008 13:08:11 +0000 http://blog.scottlowe.org/?p=331#comment-39552 JD, OK. My thinking was that pam_krb5.so was set to "sufficient", so that if it was successful (which it would be) then the outcome of pam_ldap.so would be irrelevant. Have you tried pam_krb5.so as required instead of sufficient? JD,

OK. My thinking was that pam_krb5.so was set to “sufficient”, so that if it was successful (which it would be) then the outcome of pam_ldap.so would be irrelevant. Have you tried pam_krb5.so as required instead of sufficient?

]]> By: jd http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/#comment-39541 jd Mon, 23 Jun 2008 22:25:25 +0000 http://blog.scottlowe.org/?p=331#comment-39541 Tried, it prevented any user from logging in. It logged that the authentication piece worked fine and that's it, nothing for account management (which usually reports as successful when there is a pam_kerb5.so entry in the account section of system-auth). Tried, it prevented any user from logging in.

It logged that the authentication piece worked fine and that’s it, nothing for account management (which usually reports as successful when there is a pam_kerb5.so entry in the account section of system-auth).

]]> By: slowe http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/#comment-39538 slowe Mon, 23 Jun 2008 21:05:21 +0000 http://blog.scottlowe.org/?p=331#comment-39538 JD, Try removing the pam_krb5.so entry from the account section of system-auth and see what happens then. JD,

Try removing the pam_krb5.so entry from the account section of system-auth and see what happens then.

]]> By: jd http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/#comment-39537 jd Mon, 23 Jun 2008 19:42:07 +0000 http://blog.scottlowe.org/?p=331#comment-39537 the member attribute does have my user here are the log results when a user who was not supposed to be able to, successfully logged in via ssh... Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: flag: no krb4_convert Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: flag: no external Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: flag: validate Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: flag: warn Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: ticket lifetime: 36000 Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: renewable lifetime: 36000 Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: banner: Kerberos 5 Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: ccache dir: /tmp Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: keytab: /etc/krb5.keytab Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: account manaEXAMPLEment succeeds for 'jeffu2' Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: pam_acct_mgmt returning 0 (Success) Jun 23 15:31:40 rhel4test sshd(pam_unix)[15560]: session opened for user jeffu2 by (uid=0) Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: configured realm 'LAB.EXAMPLE.COM' Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: flags: forwardable Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: flag: no ignore_afs Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: flag: user_check Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: flag: no krb4_convert Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: flag: no external Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: flag: validate Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: flag: warn Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: ticket lifetime: 36000 Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: renewable lifetime: 36000 Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: banner: Kerberos 5 Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: ccache dir: /tmp Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: keytab: /etc/krb5.keytab Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: called to update credentials for 'jeffu2' Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: _pam_krb5_sly_refresh returning 0 (Success) Jun 23 15:31:40 rhel4test sshd[15560]: nss_ldap: reconnecting to LDAP server... Jun 23 15:31:40 rhel4test sshd[15560]: nss_ldap: reconnected to LDAP server ldap://10.0.0.52/ after 1 attempt(s) the member attribute does have my user

here are the log results when a user who was not supposed to be able to, successfully logged in via ssh…

Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: flag: no krb4_convert
Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: flag: no external
Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: flag: validate
Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: flag: warn
Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: ticket lifetime: 36000
Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: renewable lifetime: 36000
Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: banner: Kerberos 5
Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: ccache dir: /tmp
Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: keytab: /etc/krb5.keytab
Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: account manaEXAMPLEment succeeds for ‘jeffu2′
Jun 23 15:31:39 rhel4test sshd[15560]: pam_krb5[15560]: pam_acct_mgmt returning 0 (Success)
Jun 23 15:31:40 rhel4test sshd(pam_unix)[15560]: session opened for user jeffu2 by (uid=0)
Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: configured realm ‘LAB.EXAMPLE.COM’
Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: flags: forwardable
Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: flag: no ignore_afs
Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: flag: user_check
Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: flag: no krb4_convert
Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: flag: no external
Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: flag: validate
Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: flag: warn
Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: ticket lifetime: 36000
Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: renewable lifetime: 36000
Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: banner: Kerberos 5
Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: ccache dir: /tmp
Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: keytab: /etc/krb5.keytab
Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: called to update credentials for ‘jeffu2′
Jun 23 15:31:40 rhel4test sshd[15564]: pam_krb5[15564]: _pam_krb5_sly_refresh returning 0 (Success)
Jun 23 15:31:40 rhel4test sshd[15560]: nss_ldap: reconnecting to LDAP server…
Jun 23 15:31:40 rhel4test sshd[15560]: nss_ldap: reconnected to LDAP server ldap://10.0.0.52/ after 1 attempt(s)

]]> By: slowe http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/#comment-39534 slowe Mon, 23 Jun 2008 18:29:19 +0000 http://blog.scottlowe.org/?p=331#comment-39534 JD, Using ADSI Edit, have a look at the security group and make sure that the member attribute (which you've specified in ldap.conf as the pam_member_attribute) is getting populated with usernames. Any errors in the logs? JD,

Using ADSI Edit, have a look at the security group and make sure that the member attribute (which you’ve specified in ldap.conf as the pam_member_attribute) is getting populated with usernames.

Any errors in the logs?

]]> By: jd http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/#comment-39533 jd Mon, 23 Jun 2008 18:03:09 +0000 http://blog.scottlowe.org/?p=331#comment-39533 Scott, Could really use some help here. I have auth working but it's not constrained to users in my windows global security group - "jeffg1". All users (in the right ou) work. I have attached my system-auth and ldap.conf file, any help you could provide would be greatly appreciated. ldap.conf... base dc=lab,dc=example,dc=com uri ldap://10.0.0.152/ binddn jeffproxyuser@lab.example.com bindpw s3cr3t scope sub timelimit 30 idle_timelimit 3600 pam_groupdn cn=jeffg1,ou=unix,dc=lab,dc=example,dc=com?sub pam_member_attribute member nss_base_passwd ou=unix,dc=lab,dc=example,dc=com?sub nss_base_shadow ou=unix,dc=lab,dc=example,dc=com?sub nss_base_group ou=unix,dc=lab,dc=example,dc=com?sub nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_attribute uid sAMAccountName nss_map_attribute uniqueMember msSFU30PosixMember nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_objectclass posixGroup Group nss_map_attribute memberUid msSFU30MemberUid ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 system-auth... auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_krb5.so debug auth required /lib/security/$ISA/pam_deny.so debug account sufficient /lib/security/$ISA/pam_ldap.so debug account sufficient /lib/security/$ISA/pam_krb5.so debug account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid Scott,

Could really use some help here. I have auth working but it’s not constrained to users in my windows global security group - “jeffg1″. All users (in the right ou) work.

I have attached my system-auth and ldap.conf file, any help you could provide would be greatly appreciated.

ldap.conf…
base dc=lab,dc=example,dc=com
uri ldap://10.0.0.152/
binddn jeffproxyuser@lab.example.com
bindpw s3cr3t
scope sub
timelimit 30
idle_timelimit 3600
pam_groupdn cn=jeffg1,ou=unix,dc=lab,dc=example,dc=com?sub
pam_member_attribute member
nss_base_passwd ou=unix,dc=lab,dc=example,dc=com?sub
nss_base_shadow ou=unix,dc=lab,dc=example,dc=com?sub
nss_base_group ou=unix,dc=lab,dc=example,dc=com?sub
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute memberUid msSFU30MemberUid
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

system-auth…
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so debug
auth required /lib/security/$ISA/pam_deny.so debug

account sufficient /lib/security/$ISA/pam_ldap.so debug
account sufficient /lib/security/$ISA/pam_krb5.so debug
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid

]]> By: skippy http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/#comment-37762 skippy Mon, 12 May 2008 19:15:48 +0000 http://blog.scottlowe.org/?p=331#comment-37762 Scott: thanks for that! I just recently re-read the sshd_config man page for a different issue, and glossed right past those options. Cheers! Scott: thanks for that! I just recently re-read the sshd_config man page for a different issue, and glossed right past those options. Cheers!

]]> By: slowe http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/#comment-37757 slowe Mon, 12 May 2008 18:15:05 +0000 http://blog.scottlowe.org/?p=331#comment-37757 Skippy, These instructions _should_ work, but keep in mind you could also use the AllowUsers or AllowGroups directives inside sshd_config to accomplish the same thing with less complexity. Skippy,

These instructions _should_ work, but keep in mind you could also use the AllowUsers or AllowGroups directives inside sshd_config to accomplish the same thing with less complexity.

]]>