RE: AllowGroups and ldap

You did not mention which conf file is for LDAP Server, and which one is
for LDAP client+SSH Server, a bit confusing.

You MUST set "UsePAM yes" at SSH Server (LDAP Client)i.e. use
PAM_LDAP/NSS_LDAP, if u really need LDAP as name service for user id/pw
resolution.

Again I am not sure if AllowGroups in sshd_config could recognize LDAP
id as "man sshd_config" did not say it very clear.

If u use START_TLS, DO NOT put IP or localhost in "host" directive, use
the FQDN Fully Qualified Domain Name, eg: ldap.example.com, prepare DNS
and /etc/hosts for IP/name mapping.

The nsswitch.conf for the LDAP server and client should not be the same.
The one at the LDAP "Server" end shld be just the normal one without
"ldap" references

Gary

-----Original Message-----
From: Lars Weste [mailto:lweste@gmx.de] 
Sent: Wednesday, February 02, 2005 3:54 PM
To: Tay, Gary
Cc: secureshell@securityfocus.com
Subject: RE: AllowGroups and ldap


Hi,       
       
i can successfully log in from one suse 9.1 to another suse 9.1, both

connected to the same ldap server.      
      
this is the remote suse 9.1 sshd_config:      
================================================     
Port 22     
Protocol 2     
PermitRootLogin no     
StrictModes yes     
RhostsRSAAuthentication no     
HostbasedAuthentication no     
IgnoreRhosts yes     
PasswordAuthentication no     
ChallengeResponseAuthentication no     
UsePAM no     
X11Forwarding yes     
Subsystem       sftp    /usr/lib/ssh/sftp-server     
AllowGroups    admin     
===============================================     
this is the remote suse 9.1 ldap.conf file:     
===============================================    
host    10.10.10.10    
base    dc=intern    
ldap_version    3    
pam_password    md5    
nss_map_attribute uniqueMember member    
ssl     start_tls    
nss_map_attribute       uniqueMember member    
pam_filter      objectclass=posixAccount    
nss_base_passwd dc=intern    
nss_base_shadow dc=intern    
nss_base_group  dc=intern    
=============================================    
this is the remote suse 9.1 nsswitch.conf file:    
=============================================    
passwd: compat   
group:  compat   
hosts:  files dns   
networks:       files dns   
services:       files   
protocols:      files   
rpc:    files   
ethers: files   
netmasks:       files   
netgroup:       files   
publickey:      files   
bootparams:     files   
automount:      files nis   
aliases:        files   
passwd_compat:  ldap   
group_compat:   ldap   
=========================================================  
and the following file is the suse9.1 /etc/pam.d/sshd,  
but i think this file shouldn't be used because i configured  
UsePAM=no in sshd_config  
=========================================================  
#%PAM-1.0  
auth required   pam_unix2.so # set_secrpc  
auth required   pam_nologin.so  
auth required   pam_env.so  
account required        pam_unix2.so  
account required        pam_nologin.so  
password required       pam_pwcheck.so  
password required       pam_unix2.so    use_first_pass use_authtok  
session required        pam_unix2.so    none       # trace or debug  
session required        pam_limits.so  
# Enable the following line to get resmgr support for  
# ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)  
#session  optional      pam_resmgr.so fake_ttyname  
===============================================================  
with this configuration i can log in without any problem, the sshd
checks   
that i am a member of the admin group which is only available through   
ldap.   
=========================================================   
=========================================================   
   
the following is the sles9 sshd_config file: despite the   
AllowGroups directive the same like at the suse 9.1   
=========================================================   
Port 22   
Protocol 2   
PermitRootLogin no   
StrictModes yes   
RhostsRSAAuthentication no   
HostbasedAuthentication no   
IgnoreRhosts yes   
PasswordAuthentication no   
ChallengeResponseAuthentication no   
UsePAM no   
X11Forwarding yes   
Subsystem       sftp    /usr/lib/ssh/sftp-server   
AllowGroups    backup admin wheel  
====================================================  
the following file is the sles9 ldap.conf, the same despite the host  
directive:   
====================================================   
host    localhost   
base    dc=intern   
ldap_version    3   
pam_password    md5   
nss_map_attribute       uniqueMember member  
ssl     start_tls   
nss_map_attribute       uniqueMember member   
pam_filter      objectclass=posixAccount   
nss_base_passwd dc=intern   
nss_base_shadow dc=intern   
nss_base_group  dc=intern   
===================================================  
The sles9 nsswitch.conf file is exactly the same like the suse9.1  
nsswitch.conf like above.  
 
=================================================== 
id lars 
uid=1010(lars) gid=1006(weird) groups=1006(weird),1011(admin) 
 
with this configuration that the admin grous is a supplementary group 
i can log in to the suse9.1 but not to the sles9. 
 
i changed the groups which i belong to the following: 
id lars 
uid=1010(lars) gid=1011(admin) groups=1011(admin),1006(weird) 
 
this enables me to log in to both systems. but having the admin group as
a 
primary group is not an option. 
 
 
so if anybody has a hint to maybe what my problem is, please tell me 
because i'm a bit clueless here. or maybe there are other configuration 
files involved which i didn't considered? 
 
kind regards 
lars 
 
 
=================================================== 
 
      
       
> IIRC, OpenSSH uses PAM and then PAM uses PAM_LDAP/NSS_LDAP to retrieve

  
> LDAP id/pw info. So you have to configure PAM "UsePAM yes",       
> /etc/pam.conf (load pam_ldap.so.1) and /etc/ldap.conf (nss_ldap's

> config) files.       
>        
> It will be interesting to see even after the above have been done,
that   
   
> the "AllowGroups" directive works for LDAP based, instead of just

> /etc/passwd files based login ids. "man sshd_config" does not say the

 
> group info could be read from LDAP.       
>        
> Let us know what you could come out with.       
>        
> Gary       
>        
> -----Original Message-----       
> From: Lars Weste [mailto:lweste@gmx.de]        
> Sent: Monday, January 31, 2005 4:52 PM       
> To: secureshell@securityfocus.com       
> Subject: AllowGroups and ldap       
>        
>        
> hi list,           
>            
> i encountered a problem while trying to use the AllowGroup feature of

 
>        
> openssh to restrict the access to only some groups.           
>            
> i'm using SuSEs ssh version OpenSSH_3.8p1, OpenSSL 0.9.7d 17 Mar 2004 
> at
    
>        
> the server and client side. The account information of the user i want

  
> to          
> log in is stored within openldap.          
>           
> $ id          
> uid=1010(lars) gid=1006(weird) groups=1006(weird),1011(admin).

>           
> i only want to allow members of the admin group to log in. the group

   
> information about the admin and the weird groups are also stored in
the   
   
>        
> ldap database. if i configure AllowGroups weird, which is the primary

  
> group of the user i can log in. if i replace weird with admin the
login   
    
> will be rejected.        
>         
> =============        
> User lars not allowed because none of user's groups are listed in

> AllowGroups        
> input_userauth_request: illegal user lars        
> =============        
>           
> i added the user to the local group wheel, added the wheel group to
the   
    
> AllowGroups statement and restarted the sshd. with a local 
> supplementary
    
>        
> group i could successfully log in. so is there a way to use the

> supplementary groups of the user provided by the ldap daemon?         
>           
>         
 

-- 
GMX im TV ... Die Gedanken sind frei ... Schon gesehen?
Jetzt Spot online ansehen: http://www.gmx.net/de/go/tv-spot