[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ssh group membership access
- To: openldap-technical@openldap.org
- Subject: ssh group membership access
- From: Daniel Bahena <informatux@gmail.com>
- Date: Wed, 29 Feb 2012 15:03:53 -0600
- Authentication-results: mr.google.com; spf=pass (google.com: domain of informatux@gmail.com designates 10.152.148.106 as permitted sender) smtp.mail=informatux@gmail.com; dkim=pass header.i=informatux@gmail.com
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=X84svRKPZ/W43Ymvop/7eIgwUXt3XWKlenxtw0eH6tc=; b=sgoy1MDw1ehmS48KvGN6uPt7nDjhrCYYEjUbOH1kZhJbrt8p/Lhs8a1SWokGNjOW01 ZppU2AoBW8D+wpj6rmP7e5kQVAkC7UXQWe3xE1O+9objjbJO+naWSy+RP8sVxi7ie2L0 PeYtiVewTJGMU92ohKt7iUBoMO7G0UG6xggVQ=
Hi,
I have a set of servers in which I want to configure ssh access based on the users group membership.
I'm using CentOS 5 and this version of openldap
[root@centos5 ldifs]# rpm -qa | grep ldap
openldap-servers-2.3.43-12.el5_7.10
php-ldap-5.1.6-27.el5_7.5
openldap-servers-overlays-2.3.43-12.el5_7.10
openldap-2.3.43-12.el5_7.10
nss_ldap-253-42.el5_7.4
openldap-2.3.43-12.el5_7.10
nss_ldap-253-42.el5_7.4
openldap-clients-2.3.43-12.el5_7.10
[root@centos5 ldifs]#
And this is my ldap.conf
base dc=homelinux,dc=net
timelimit 120
bind_timelimit 120
idle_timelimit 3600
pam_groupdn cn=access,ou=Group,dc=homelinux,dc=net
pam_member_attribute member
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
uri ldap://127.0.0.1/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
And this is the contents of cn=access
[root@centos5 ldifs]# ldapsearch -x -W -D 'cn=Manager,dc=homelinux,dc=net' -h 127.0.0.1 "cn=access"
# access, Group, homelinux.net
dn: cn=access,ou=Group,dc=homelinux,dc=net
cn: access
objectClass: top
objectClass: groupOfNames
objectClass: labeledURIObject
member: uid=nobody,ou=People,dc=homelinux,dc=net
labeledURI: ldap:///ou=People,dc=homelinux,dc=net??one?(gidNumber=10060)
labeledURI: ldap:///ou=People,dc=homelinux,dc=net??one?(host=jumpbox)
[root@centos5 ldifs]#
And this is the contents of the gid 10060 (unixsa)
[root@centos5 ldifs]# ldapsearch -x -W -D 'cn=Manager,dc=homelinux,dc=net' -h 127.0.0.1 "cn=unixsa"
# unixsa, Group, homelinux.net
dn: cn=unixsa,ou=Group,dc=homelinux,dc=net
gidNumber: 10060
description: unixsa
objectClass: top
objectClass: posixGroup
cn: unixsa
memberUid: uid=dan,ou=People,dc=homelinux,dc=net
memberUid: dan
[root@centos5 ldifs]#
And when I try to ssh into this box I get the following:
[kwame@vader ~]$ ssh dan@centos5
dan@centos5's password:
You must be a member of cn=access,ou=Group,dc=homelinux,dc=net to login.
Connection closed by 192.168.122.225
[kwame@vader ~]$
This is the info for the user dan
[root@centos5 ldifs]# id dan
uid=10051(uid=dan,ou=People,dc=homelinux,dc=net) gid=10051(dan) groups=10051(dan),10060(unixsa)
Comments? Thoughts? Words of wisdom?
Best regards