PAM/ldap_pam/NFSv4: How let users of a speicific group log into a specific box?

From: O. Hartmann <ohartman_at_zedat.fu-berlin.de>
Date: Mon, 27 Apr 2009 07:48:07 +0000
Hello.
I run into a specific problem and for several months of experiments I 
havn't found a solution, yet.

This is what I wish to get and need:

A simple capability of selecting users into a specific group. Members of 
such a group should then log into a set of specific hosts.
Infrastructure is FreeBSD 8.0-CURRENT/amd64 and some 7.2-STABLE boxes 
(acting as server) as well as OpenLDAP backend.

Authentication on boxes is done via PAM/ldap_pam. But it is on FreeBSD's 
side a vanilla configuration, not very sophisticated. Users autheticate 
and authorize against an OpenLDAP server residing on another box.

pam_ldap in its most recent ports-version offers, as the manpage claims, 
a facility enabling group logins (resides in /usr/local/etc/ldap.conf):

# Group to enforce membership of
pam_groupdn cn=mygroup,ou=groups,dc=foo,dc=org?sub

# Group member attribute
#pam_member_attribute uniqueMember
pam_member_attribute memberUid


Within the DIT of the OpenLDAP server ou=groups exists and contains also 
a group called 'mygroup' with a multi-value attribute (as required), in 
this case memberUid.

Using pam_ldap.so as a 'required' module is not appreciated, so there 
seems a problem to me with the stack order - should say: I need a LDAP 
solution. pam_group doesn't work for me:


auth	required/requisite	pam_group.so	no_warn group=mygroup


Can anybody help or do have hints?

Please remember I do not belon g to the 'questions' list, so please put 
me into your mail-cc.

Regards,
Oliver
Received on Mon Apr 27 2009 - 05:49:30 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:46 UTC