Re: Filter by group seens to be not working
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Filter by group seens to be not working
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: Otavio Campos Velho Gloria <og [at] e-trust.com.br>
- Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Filter by group seens to be not working
- Date: Mon, 15 Dec 2014 20:52:55 +0100
On Mon, 2014-12-15 at 11:17 -0200, Otavio Campos Velho Gloria wrote:
> I believe that my configuration is write, because it's consulting
> correctily, but when try to filter by group it's not working. On nslcd
> debug I saw that group filter is doing it's job, but even when it
> returns no result (user not on this group) the system permits the
> access.
Group membership is probably best configured with pam_group.
> filter group (&(objectClass=posixGroup)(cn=logonVISAO))
This means that only groups that match the above filter are found on the
system, it does not mean that only users that match this group can
login.
You should look into pam_authz_search with something like:
(&(objectClass=posixGroup)(cn=logonVISAO)(memberUid=$username))
Note that this is only applied to authorisation checks are using PAM. I
think this should also work in SSH when using key-based authentication.
> dn: cn=logonDRAGUNOV,ou=Groups,dc=e-trust,dc=com,dc=br
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> cn: logonDRAGUNOV
> gidNumber: 61208
> memberUid: uid=ds,ou=People,dc=e-trust,dc=com,dc=br
> memberUid: ds
This is a bit weird. The memberUid attribute should include just the
username. The member (or uniqueMember) attribute is supposed to contain
a DN.
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
