[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Authentication Problems
Hi,
first, I'll try to explain what we want to do:
We want to authenticate users via pam_ldap, but based on group membership
of users - we want to check each group if the user trying to login is a
member (-> memberUid), and, if found, take a look in another group, where
the user has his posixAccount entry, to check his password.
Following various advices, we kept our ldap tree as shallow as possible,
so we have a tree consisting of our dc's, and then dividing into two
components: employess and groups. In 'employees', every employee is
listed, having the objectclass posixaccount with every required
attribute. Below groups, we have a tree representing the organisational
structure. There we have sub-groups like 'marketing' or 'tech', which
are posixGroups and organisationalunits. In those groups, we have
memberUid's. Short example:
ou=employees
objectclass=organisationalunit
description=Contains all employees
cn=agrosse
objectclass=posixAccount
[every required attribute for posixAccount, including uid]
ou=groups
objectclass=organisationalunit
description=Contains organisational structure
ou=tech
objectclass=posixGroup
objectclass=organisationalunit
[every required attribute for posixGroup]
memberUid=agrosse
We want to login via sshd, so we added a module sshd in /etc/pam.d/:
#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_stack.so service=system-auth
password sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_stack.so service=system-auth
session sufficient /lib/security/pam_ldap.so
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
Now we modified /etc/ldap.conf to contain the following lines to
authenticate by groups:
base ou=groups,dc=mydomain,dc=de
pam_filter objectclass=posixGroup
pam_login_attribute memberUid
The idea behind this is to seach all groups for the memberUids. If there
is a match, look it up at the employees group and compare passwords.
But the output I get when starting slapd with -d 256 is:
------
daemon: conn=0 fd=9 connection from IP=127.0.0.1:38249
(IP=0.0.0.0:34049) accepted.
conn=0 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 9
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 SRCH base="ou=groups,dc=mydomain,dc=de" scope=2
filter="(&(objectClass=posixAccount)(uid=agrosse))"
ber_flush: 14 bytes to sd 9
conn=0 op=1 SEARCH RESULT tag=101 err=0 text=
------
Mysteriously, everything seems to work when trying to login as root:
-----
daemon: conn=1 fd=9 connection from IP=127.0.0.1:38250
(IP=0.0.0.0:34049) accepted.
conn=1 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 9
conn=1 op=0 RESULT tag=97 err=0 text=
conn=1 op=1 SRCH base="ou=groups,dc=mydomain,dc=de" scope=2
filter="(&(objectClass=posixGroup)(memberUid=root))"
ber_flush: 14 bytes to sd 9
conn=1 op=1 SEARCH RESULT tag=101 err=0 text=
conn=1 op=2 BIND dn="" method=128
ber_flush: 14 bytes to sd 9
conn=1 op=2 RESULT tag=97 err=0 text=
conn=1 op=3 SRCH base="ou=groups,dc=mydomain,dc=de" scope=2
filter="(&(objectClass=posixGroup)(memberUid=root))"
ber_flush: 14 bytes to sd 9
conn=1 op=3 SEARCH RESULT tag=101 err=0 text=
daemon: conn=2 fd=15 connection from IP=127.0.0.1:38251
(IP=0.0.0.0:34049) accepted.
conn=2 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 15
conn=2 op=0 RESULT tag=97 err=0 text=
conn=2 op=1 SRCH base="ou=groups,dc=mydomain,dc=de" scope=2
filter="(uid=root)"
ber_flush: 14 bytes to sd 15
conn=2 op=1 SEARCH RESULT tag=101 err=0 text=
conn=2 op=2 SRCH base="ou=groups,dc=mydomain,dc=de" scope=2
filter="(&(objectClass=posixGroup)(memberUid=root))"
ber_flush: 14 bytes to sd 15
conn=2 op=2 SEARCH RESULT tag=101 err=0 text=
conn=-1 fd=15 closed
------
So the filter keyword does not seem to work for a 'normal' user which
only exists in my LDAP database, but works for a user only existing in
system passwd. What am I doing wrong?
And there are a few questions besides that this isn't working:
Should I use the uniquemember attribute instead of memberUid ?
Does this work at all, using posixGroups and memberUids to find the
matching uid, and looking it up in a different dn to check the password?
And if it works, does it make sense (or would you recommend to do it
otherwise) ?
The system we are working on is Redhat 7.1 & openldap 2.0.18.
Your help is highly appreciated!
Many thanks in advance,
Andreas Grosse