Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: AllowGroups and ldap

from [Lars Weste] Network Security [Permanent Link]
Subject: RE: AllowGroups and ldap
Date: Thu, 3 Feb 2005 16:56:09 +0100 (MET) 
Hi Gary,     
     
thanks for your answer, and sorry if i faild to describe the situation    
satisfactory.    
   
i have two suse9.1 connected as clients to the ldap server.   
   
i can successfull ssh from one client to the other.   
my username, primary and supplementary group are out of the ldap server.   
nothing of my identity is stored locally despite my ssh key. so i can log   
in with admin as my supplementary group.   
   
id   
uid=1010(lars) gid=1006(weird) groups=1006(weird),1011(admin)   
   
the following are the configuration files at both suse 9.1:   
suse9.1 sshd_config:==========================================   
Port 22   
Protocol 2   
PermitRootLogin no   
StrictModes yes   
RhostsRSAAuthentication no   
HostbasedAuthentication no   
IgnoreRhosts yes   
PasswordAuthentication no   
ChallengeResponseAuthentication no   
UsePAM no   
X11Forwarding yes   
Subsystem       sftp    /usr/lib/ssh/sftp-server   
AllowGroups    admin   
   
suse9.1 ldap.conf:===================================   
host    server.intern   
base    dc=intern   
ldap_version    3   
pam_password    md5   
nss_map_attribute uniqueMember member   
ssl     start_tls   
nss_map_attribute       uniqueMember member   
pam_filter      objectclass=posixAccount   
nss_base_passwd dc=intern   
nss_base_shadow dc=intern   
nss_base_group  dc=intern   
   
suse9.1 nsswitch.conf:=============================   
passwd: compat   
group:  compat   
hosts:  files dns   
networks:       files dns   
services:       files   
protocols:      files   
rpc:    files   
ethers: files   
netmasks:       files   
netgroup:       files   
publickey:      files   
bootparams:     files   
automount:      files nis   
aliases:        files   
passwd_compat:  ldap   
group_compat:   ldap   
   
===================================================   
===================================================   
ldap server sshd_config:===========================   
Port 22   
Protocol 2   
PermitRootLogin no   
StrictModes yes   
RhostsRSAAuthentication no   
HostbasedAuthentication no   
IgnoreRhosts yes   
PasswordAuthentication no   
ChallengeResponseAuthentication no   
UsePAM no   
X11Forwarding yes   
Subsystem       sftp    /usr/lib/ssh/sftp-server   
AllowGroups     admin  
  
ldap servers ldap.conf:================================ 
host    server.intern 
base    dc=intern 
ldap_version    3 
pam_password    md5 
nss_map_attribute uniqueMember member 
ssl     start_tls 
nss_map_attribute       uniqueMember member 
pam_filter      objectclass=posixAccount 
nss_base_passwd dc=intern 
nss_base_shadow dc=intern 
nss_base_group  dc=intern 
 
ldap servers nsswitch.conf:========================= 
passwd: compat 
group:  compat 
hosts:  files dns 
networks:       files dns 
services:       files 
protocols:      files 
rpc:    files 
ethers: files 
netmasks:       files 
netgroup:       files 
publickey:      files 
bootparams:     files 
automount:      files nis 
aliases:        files 
passwd_compat:  ldap 
group_compat:   ldap 
 
 
so i can successfully log into the ldap server with this config if i 
change the admin group to my primary group and the weird group as the 
supplementary one. but in the situation which i want, the admin group as a 
supplementary group, it dosn't let me in. 
 
as both configurations are nearly the same so i'm wondering what could be 
the problem? 
 
as you suggested, i changed the ip and the localhost in the ldap.conf 
files to server.intern, but without any change. if i remove the ldap 
compat lines at the servers nsswitch.conf file, i won't be able to log in 
with an ldap account i think? 
so it seems that there are any other parts of the system causing the 
problem. 
 
thanks for your patience. hopefully it is now clearer why i'm totally 
clueless at this point.(:  any suggestions? 
 
regards 
lars 
   
   
   

-- 
Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS
GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: AllowGroups and ldap, Tay, Gary
Next by Date:  Problem compiling openssh 3.9p1 on HP-UX 10.20, peter . kielbasiewicz
Previous by Thread:  RE: AllowGroups and ldap, Lars Weste
Next by Thread:  RE: AllowGroups and ldap, Tay, Gary
Indexes:  [Date] [Thread] [Top] [All Lists]