[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem with group membership enforcement

To: ldap list <openldap-software@OpenLDAP.org>
Subject: Re: problem with group membership enforcement
From: John Ziniti <jziniti@speakeasy.org>
Date: Thu, 16 Oct 2003 16:10:48 -0400
In-reply-to: <1066334118.1636.81.camel@newhotness.CS.Princeton.EDU>
References: <1066334118.1636.81.camel@newhotness.CS.Princeton.EDU>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030925

Brian K. Jones wrote:

Why was I allowed to log in? This is baffling.


[snip]

account sufficient /lib/security/pam_ldap.so


Here is your problem.  "account" must be set to "required" to
enforce the group membership.  Be careful, though!!  This
is enforced for *all* users, including root.  So if a valid
root account is not in that groups, root cannot log in.

I use the setup you are looking for but I have not been able
to get a decent setup that works around the above problem.  The
best I've been able to come up with is to have the root "stub"
in LDAP be "un-login-able".  This has to do with pam_unix
being too permissive.

HTH,

John Z

Follow-Ups:
- Re: problem with group membership enforcement
  - From: Adam Williams <adam@morrison-ind.com>

References:
- problem with group membership enforcement
  - From: "Brian K. Jones" <jonesy@CS.Princeton.EDU>

Prev by Date: problem with group membership enforcement
Next by Date: Re: kpasswd
Index(es):
- Chronological
- Thread