[Date Prev][Date Next] [Chronological] [Thread] [Top]

Authentication Problems



Hi,

first, I'll try to explain what we want to do:
We want to authenticate users via pam_ldap, but based on group membership
of users - we want to check each group if the user trying to login is a 
member (-> memberUid), and, if found, take a look in another group, where
the user has his posixAccount entry, to check his password.

Following various advices, we kept our ldap tree as shallow as possible,
so we have a tree consisting of our dc's, and then dividing into two
components: employess and groups. In 'employees', every employee is
listed, having the objectclass posixaccount with every required
attribute. Below groups, we have a tree representing the organisational
structure. There we have sub-groups like 'marketing' or 'tech', which
are posixGroups and organisationalunits. In those groups, we have
memberUid's. Short example:

ou=employees
objectclass=organisationalunit
description=Contains all employees

        cn=agrosse
        objectclass=posixAccount
        [every required attribute for posixAccount, including uid]

ou=groups
objectclass=organisationalunit
description=Contains organisational structure
        
        ou=tech
        objectclass=posixGroup
        objectclass=organisationalunit
        [every required attribute for posixGroup]
        memberUid=agrosse

We want to login via sshd, so we added a module sshd in /etc/pam.d/:
#%PAM-1.0
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_stack.so service=system-auth
password   sufficient   /lib/security/pam_ldap.so
password   required     /lib/security/pam_stack.so service=system-auth
session    sufficient   /lib/security/pam_ldap.so
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

Now we modified /etc/ldap.conf to contain the following lines to
authenticate by groups:
base ou=groups,dc=mydomain,dc=de
pam_filter objectclass=posixGroup
pam_login_attribute memberUid

The idea behind this is to seach all groups for the memberUids. If there
is a match, look it up at the employees group and compare passwords.

But the output I get when starting slapd with -d 256 is:
------
daemon: conn=0 fd=9 connection from IP=127.0.0.1:38249
(IP=0.0.0.0:34049) accepted.
conn=0 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 9
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 SRCH base="ou=groups,dc=mydomain,dc=de" scope=2
filter="(&(objectClass=posixAccount)(uid=agrosse))"
ber_flush: 14 bytes to sd 9
conn=0 op=1 SEARCH RESULT tag=101 err=0 text=
------

Mysteriously, everything seems to work when trying to login as root:
-----
daemon: conn=1 fd=9 connection from IP=127.0.0.1:38250
(IP=0.0.0.0:34049) accepted.
conn=1 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 9
conn=1 op=0 RESULT tag=97 err=0 text=
conn=1 op=1 SRCH base="ou=groups,dc=mydomain,dc=de" scope=2
filter="(&(objectClass=posixGroup)(memberUid=root))"
ber_flush: 14 bytes to sd 9
conn=1 op=1 SEARCH RESULT tag=101 err=0 text=
conn=1 op=2 BIND dn="" method=128
ber_flush: 14 bytes to sd 9
conn=1 op=2 RESULT tag=97 err=0 text=
conn=1 op=3 SRCH base="ou=groups,dc=mydomain,dc=de" scope=2
filter="(&(objectClass=posixGroup)(memberUid=root))"
ber_flush: 14 bytes to sd 9
conn=1 op=3 SEARCH RESULT tag=101 err=0 text=
daemon: conn=2 fd=15 connection from IP=127.0.0.1:38251
(IP=0.0.0.0:34049) accepted.
conn=2 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 15
conn=2 op=0 RESULT tag=97 err=0 text=
conn=2 op=1 SRCH base="ou=groups,dc=mydomain,dc=de" scope=2
filter="(uid=root)"
ber_flush: 14 bytes to sd 15
conn=2 op=1 SEARCH RESULT tag=101 err=0 text=
conn=2 op=2 SRCH base="ou=groups,dc=mydomain,dc=de" scope=2
filter="(&(objectClass=posixGroup)(memberUid=root))"
ber_flush: 14 bytes to sd 15
conn=2 op=2 SEARCH RESULT tag=101 err=0 text=
conn=-1 fd=15 closed
------

So the filter keyword does not seem to work for a 'normal' user which
only exists in my LDAP database, but works for a user only existing in
system passwd. What am I doing wrong?

And there are a few questions besides that this isn't working:
Should I use the uniquemember attribute instead of memberUid ?
Does this work at all, using posixGroups and memberUids to find the
matching uid, and looking it up in a different dn to check the password?
And if it works, does it make sense (or would you recommend to do it
otherwise) ?

The system we are working on is Redhat 7.1 & openldap 2.0.18.

Your help is highly appreciated!
Many thanks in advance,

        Andreas Grosse