lists.arthurdejong.org
RSS feed

Re: Filtering users by group

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Filtering users by group



On Fri, 2010-05-21 at 17:13 -0300, ROGERIO DE CARVALHO BASTOS wrote:
> Thank Arthur, this is a great function. Do I need configure anything  
> else in pam.d ? I try to use pam_authz_search, but anyone can make  
> login.

You need to put pam_authz_search in /etc/nslcd.conf and restart nslcd.
You can run nslcd with the -d option to see what is going on (there
should be a nslcd_pam_authz request coming in. For a successful
authorisation you should see something like this:

DEBUG: 
nslcd_pam_authz("arthur","uid=arthur,ou=people,dc=test,dc=tld","su","nobody","","/dev/pts/5")
DEBUG: myldap_search(base="dc=test,dc=tld", 
filter="(&(objectClass=posixGroup)(cn=testgroup)(memberUid=arthur))"

For a failed one something like this:

DEBUG: 
nslcd_pam_authz("arthur","uid=arthur,ou=people,dc=test,dc=tld","su","nobody","","/dev/pts/5")
DEBUG: myldap_search(base="dc=test,dc=tld", 
filter="(&(objectClass=posixGroup)(cn=testgroup)(memberUid=arthur))")
DEBUG: ldap_result(): end of results
no entry found
DEBUG: LDAP authorisation check failed

The upcoming release should output a little more verbose debug logging
when doing an authorisation search. If the nslcd_pam_authz doesn't show
up in the debug output the PAM module is probably not asked to do
authorisation (account in pam.d).

Alternatively you can probably also use the pam_succeed_if module and
put something like the following in your PAM stack (untested):

account pam_succeed_if.so user ingroup remo_meso

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users