Comments on: LDAP-Based Access Control http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/ The weblog of an IT pro specializing in virtualization, storage, and servers Wed, 08 Feb 2012 17:13:47 +0000 hourly 1 http://wordpress.org/?v= By: Jason Sjöbeck http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/comment-page-1/#comment-51303 Jason Sjöbeck Mon, 08 Aug 2011 09:20:03 +0000 http://blog.scottlowe.org/?p=331#comment-51303 www.centrify.com has an Express produce that we all might be interested in. Just FYI is all. http://www.centrify.com has an Express produce that we all might be interested in.

Just FYI is all.

]]> By: Ben Audet http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/comment-page-1/#comment-48464 Ben Audet Thu, 27 May 2010 19:46:22 +0000 http://blog.scottlowe.org/?p=331#comment-48464 Just to follow up to CRC32 & Sandy: I finally got it working, using the "memberOf" as a discriminating criteria to restrict users to log into Solaris servers. CRC32 has the solution, but it is partly incomplete, as he only sets SSD for the "passwd" field. In order to make it work on my setup, I had to set a SSD as well for the "shadow" field, just like that: # ldapclient mod -a serviceSearchDescriptor=passwd:ou=Users,dc=my,dc=domain,dc=com?sub?memberOf=cn=my_host_group,ou=groups,dc=my,dc=domain,dc=com # ldapclient mod -a serviceSearchDescriptor=shadow:ou=Users,dc=my,dc=domain,dc=com?sub?memberOf=cn=my_host_group,ou=groups,dc=my,dc=domain,dc=com And note that, in my case, I had to use the "memberOf" instead of CRC32's "msSFU30PosixMemberOf" (since when I issue "ldaplist -l passwd ", I had "memberOf" parameter. Now, my "ldapclient list" command gives this result, and it works perfectly: # ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=LDAP SVC,ou=LDAP,ou=Services,ou=Admin,dc=my,dc=domain,dc=com NS_LDAP_BINDPASSWD= {NS1}############# NS_LDAP_SERVERS= 10.1.2.3, 10.2.3.4, 10.3.4.5 NS_LDAP_SEARCH_BASEDN= dc=my,dc=domain,dc=com NS_LDAP_AUTH= simple NS_LDAP_CACHETTL= 0 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=Users,dc=my,dc=domain,dc=com?sub?memberOf=cn=my_host_group,ou=groups,dc=my,dc=domain,dc=com LDAP_SERVICE_SEARCH_DESC= shadow:ou=Users,dc=my,dc=domain,dc=com?sub?memberOf=cn=my_host_group,ou=groups,dc=my,dc=domain,dc=com NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword NS_LDAP_ATTRIBUTEMAP= shadow:shadowflag=shadowFlag NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid NS_LDAP_ATTRIBUTEMAP= group:userpassword=userPassword NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group Thanks CRC32 for sharing, you put me on the way!!! Just to follow up to CRC32 & Sandy: I finally got it working, using the “memberOf” as a discriminating criteria to restrict users to log into Solaris servers.

CRC32 has the solution, but it is partly incomplete, as he only sets SSD for the “passwd” field. In order to make it work on my setup, I had to set a SSD as well for the “shadow” field, just like that:

# ldapclient mod -a serviceSearchDescriptor=passwd:ou=Users,dc=my,dc=domain,dc=com?sub?memberOf=cn=my_host_group,ou=groups,dc=my,dc=domain,dc=com

# ldapclient mod -a serviceSearchDescriptor=shadow:ou=Users,dc=my,dc=domain,dc=com?sub?memberOf=cn=my_host_group,ou=groups,dc=my,dc=domain,dc=com

And note that, in my case, I had to use the “memberOf” instead of CRC32′s “msSFU30PosixMemberOf” (since when I issue “ldaplist -l passwd “, I had “memberOf” parameter.

Now, my “ldapclient list” command gives this result, and it works perfectly:

# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=LDAP SVC,ou=LDAP,ou=Services,ou=Admin,dc=my,dc=domain,dc=com
NS_LDAP_BINDPASSWD= {NS1}#############
NS_LDAP_SERVERS= 10.1.2.3, 10.2.3.4, 10.3.4.5
NS_LDAP_SEARCH_BASEDN= dc=my,dc=domain,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=Users,dc=my,dc=domain,dc=com?sub?memberOf=cn=my_host_group,ou=groups,dc=my,dc=domain,dc=com
LDAP_SERVICE_SEARCH_DESC= shadow:ou=Users,dc=my,dc=domain,dc=com?sub?memberOf=cn=my_host_group,ou=groups,dc=my,dc=domain,dc=com
NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
NS_LDAP_ATTRIBUTEMAP= shadow:shadowflag=shadowFlag
NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid
NS_LDAP_ATTRIBUTEMAP= group:userpassword=userPassword
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group

Thanks CRC32 for sharing, you put me on the way!!!

]]> By: Shamika http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/comment-page-1/#comment-46766 Shamika Thu, 26 Nov 2009 09:46:40 +0000 http://blog.scottlowe.org/?p=331#comment-46766 Hi Scott, issue:I'm trying to setup ldap auth for my labusing Openldap. I was sucessful setting it up on fedora 12 & ubuntu but it fails on rhel5 for some reason. The moment I uncomment "pam_check_service_attr yes" in ldap.conf it it throws me following error upon doing ssh (i m using ldap user which has this host entry in its host attr) [root@rh5u3 ~]# ssh jchan@localhost jchan@localhost's password: Access denied for this host Connection closed by 127.0.0.1 Here is snapshot from /var/log/secure Nov 26 15:12:44 rh5u3 sshd[13646]: Failed password for jchan from 127.0.0.1 port 49678 ssh2 Nov 26 15:12:44 rh5u3 sshd[13647]: fatal: Access denied for user jchan by PAM account configuration I tried, getent group/passwd retrieves all local n ldap users/groups correctly. So nothing seems to have gone wrong there. I'm concerned about the sys-auth & ssh file. I went through your posts and tried but no help. Could you send me ideal setting for these files? or else whatever your suggestions may be. Thanks Shamika Hi Scott,
issue:I’m trying to setup ldap auth for my labusing Openldap. I was sucessful setting it up on fedora 12 & ubuntu but it fails on rhel5 for some reason. The moment I uncomment “pam_check_service_attr yes” in ldap.conf it it throws me following error upon doing ssh (i m using ldap user which has this host entry in its host attr)

[root@rh5u3 ~]# ssh jchan@localhost
jchan@localhost’s password:
Access denied for this host
Connection closed by 127.0.0.1

Here is snapshot from /var/log/secure

Nov 26 15:12:44 rh5u3 sshd[13646]: Failed password for jchan from 127.0.0.1 port 49678 ssh2
Nov 26 15:12:44 rh5u3 sshd[13647]: fatal: Access denied for user jchan by PAM account configuration

I tried, getent group/passwd retrieves all local n ldap users/groups correctly. So nothing seems to have gone wrong there. I’m concerned about the sys-auth & ssh file. I went through your posts and tried but no help. Could you send me ideal setting for these files? or else whatever your suggestions may be.

Thanks
Shamika

]]> By: sauce http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/comment-page-1/#comment-46007 sauce Fri, 25 Sep 2009 05:48:26 +0000 http://blog.scottlowe.org/?p=331#comment-46007 any update on Nested Groups? any update on Nested Groups?

]]> By: soulshepard http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/comment-page-1/#comment-45146 soulshepard Thu, 16 Jul 2009 15:00:35 +0000 http://blog.scottlowe.org/?p=331#comment-45146 ps: i was talking about pure LDAP config in /etc/pam.d/system-auth and /etc/ldap.conf ps: i was talking about pure LDAP config in /etc/pam.d/system-auth and /etc/ldap.conf

]]> By: soulshepard http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/comment-page-1/#comment-45145 soulshepard Thu, 16 Jul 2009 14:59:27 +0000 http://blog.scottlowe.org/?p=331#comment-45145 its funny, i have a few f5 bigip machines these run a kind of redhat/linux kernel and they can authenticate to the active directory without having unix services / schema modifications in ads, i am trying to get it working by replicating the config changes but no luck. i am soo confused why all linux appliance and ther stuff can easely inetrgrate by native ldap and the linux distro's not. so i know its possible without anyone got a clue? its funny, i have a few f5 bigip machines these run a kind of redhat/linux kernel and they can authenticate to the active directory without having unix services / schema modifications in ads, i am trying to get it working by replicating the config changes but no luck. i am soo confused why all linux appliance and ther stuff can easely inetrgrate by native ldap and the linux distro’s not.

so i know its possible without anyone got a clue?

]]> By: Sandy http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/comment-page-1/#comment-43660 Sandy Wed, 18 Feb 2009 21:26:17 +0000 http://blog.scottlowe.org/?p=331#comment-43660 CRC32 - We are trying to restrict client login access the same as you, but when we modify the serviceSearchDescriptor as you suggested the user account is no longer able to log in at all. I was wondering if there was also something we need to change for the serviceSearchDescriptor = group section since your output looks a little different. CRC32 – We are trying to restrict client login access the same as you, but when we modify the serviceSearchDescriptor as you suggested the user account is no longer able to log in at all. I was wondering if there was also something we need to change for the serviceSearchDescriptor = group section since your output looks a little different.

]]> By: CRC32 http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/comment-page-1/#comment-43610 CRC32 Wed, 11 Feb 2009 22:52:14 +0000 http://blog.scottlowe.org/?p=331#comment-43610 FYI Solaris 10 serviceSearchDescriptor method worked also: # cat /var/ldap/ldap_client_file NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= ad.my.domain.com NS_LDAP_SEARCH_BASEDN= DC=my,DC=domain,DC=com NS_LDAP_AUTH= sasl/GSSAPI NS_LDAP_CACHETTL= 0 NS_LDAP_CREDENTIAL_LEVEL= self NS_LDAP_SERVICE_SEARCH_DESC= passwd:OU=Users,DC=my,DC=domain,DC=com?sub?msSFU30PosixMemberOf=cn=my_host_group,ou=groups,dc=my,dc=domain,dc=com NS_LDAP_SERVICE_SEARCH_DESC= group:OU=Groups,DC=my,DC=domain,DC=com?sub?gidNumber=* NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group FYI Solaris 10 serviceSearchDescriptor method worked also:

# cat /var/ldap/ldap_client_file
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ad.my.domain.com
NS_LDAP_SEARCH_BASEDN= DC=my,DC=domain,DC=com
NS_LDAP_AUTH= sasl/GSSAPI
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= self
NS_LDAP_SERVICE_SEARCH_DESC= passwd:OU=Users,DC=my,DC=domain,DC=com?sub?msSFU30PosixMemberOf=cn=my_host_group,ou=groups,dc=my,dc=domain,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= group:OU=Groups,DC=my,DC=domain,DC=com?sub?gidNumber=*
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group

]]> By: CRC32 http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/comment-page-1/#comment-43513 CRC32 Tue, 03 Feb 2009 03:45:22 +0000 http://blog.scottlowe.org/?p=331#comment-43513 For anyone interested - I managed to get this working on AIX, and Solaris seems doable also (haven't implemented yet). Seems AD (with SFU/R2) lists all group membership against the user object as well, so for AIX in the ldap.cfg, userbasedn option, you can refine the search like: userbasedn: ou=users,dc=my,dc=domain,dc=com?sub?(msSFU30PosixMemberOf=cn=my_host_group,ou=groups,dc=my,dc=domain,dc=com) where my_host_group contains all LDAP based users you wish to grant access to this host - all other users won't be found in the search and are thus "hidden" from the OS i.e. can't login. For solaris, essentially the same option in the ldap client should do the trick: serviceSearchDescriptor: passwd:ou=users,dc=my,dc=domain,dc=com?sub?(msSFU30PosixMemberOf=cn=my_host_group,ou=groups,dc=my,dc=domain,dc=com) Only thing is apparently AD doesn't list users in the group who have it as there "default" group - so use a specific group which contains correct members & then the group will show up properly against the user, don't rely on AD default groups for this! For anyone interested – I managed to get this working on AIX, and Solaris seems doable also (haven’t implemented yet). Seems AD (with SFU/R2) lists all group membership against the user object as well, so for AIX in the ldap.cfg, userbasedn option, you can refine the search like:

userbasedn: ou=users,dc=my,dc=domain,dc=com?sub?(msSFU30PosixMemberOf=cn=my_host_group,ou=groups,dc=my,dc=domain,dc=com)

where my_host_group contains all LDAP based users you wish to grant access to this host – all other users won’t be found in the search and are thus “hidden” from the OS i.e. can’t login.

For solaris, essentially the same option in the ldap client should do the trick:
serviceSearchDescriptor: passwd:ou=users,dc=my,dc=domain,dc=com?sub?(msSFU30PosixMemberOf=cn=my_host_group,ou=groups,dc=my,dc=domain,dc=com)

Only thing is apparently AD doesn’t list users in the group who have it as there “default” group – so use a specific group which contains correct members & then the group will show up properly against the user, don’t rely on AD default groups for this!

]]> By: CRC32 http://blog.scottlowe.org/2006/09/08/ldap-based-access-control/comment-page-1/#comment-43387 CRC32 Fri, 16 Jan 2009 01:32:12 +0000 http://blog.scottlowe.org/?p=331#comment-43387 I too am interested in this technique for Solaris + R2 AD. I would like to avoid netgroups in AD if possible - ideally looking for functional equivalent of pam_groupdn on Solaris, using Sun's LDAP client software - not PADL. Please if anyone has any suggestions? Thanks! I too am interested in this technique for Solaris + R2 AD.

I would like to avoid netgroups in AD if possible – ideally looking for functional equivalent of pam_groupdn on Solaris, using Sun’s LDAP client software – not PADL.

Please if anyone has any suggestions?

Thanks!

]]>