El Jueves, 31 de Agosto de 2006 08:30, escribió:
Enrique,
I can choose the hosts a unix user have access to by adding the
"accessto" attribute.
In every client, I have the next entry on pam_ldap.conf
pam_filter objectclass=posixAccount)(|(trustmodel=fullaccess)
(accessto=serverhostname).
It works using ssh connections with password mechanism, gdm or just
login.
But Ive created a public key pair with ssh-keygen, and I can log in all
the clients ($HOME throw NFS) although my user has no "accessto"
attribute for these hosts.
Looks like pam_filter is used only for filtering user data and not
for the account management in the pam_ldap. Can you run your ssh server
with -ddd flags, try to log in with user that has no 'accessto' attribute
and see what stage of PAM rejected that user.
One more idea: do you use pam_nss? If yes, then pam_unix can let you
in, because it looks up user using nsswitch. pam_nss (at least version 252)
does not use pam_filter configuration item. Try to eliminate success=1
from pam_unix.so string below and see if it will help.
Really, it is a libnss issue. Ive not changed account pam configuration, just
change
shadow: files ldap
to
shadow: files
on nsswitch.conf
Its reported at README.Debian on libpam-ldap.
Thanks
Enrique
# /etc/pam.d/common-account - authorization settings common to all
services
account [success=1 default=ignore] pam_unix.so
account required pam_ldap.so
account required pam_permit.so
--
Enrique de la Torre Gordaliza
Departamento de Arquitectura de Computadores y Automática
Desp. 220A, Facultad CC. Físicas, Univ. Complutense de Madrid
Tlfn: 91 394 4389
