Re: Filtering users by group
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Filtering users by group
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: Filtering users by group
- Date: Sat, 22 May 2010 12:54:19 +0200
On Fri, 2010-05-21 at 17:13 -0300, ROGERIO DE CARVALHO BASTOS wrote:
> Thank Arthur, this is a great function. Do I need configure anything
> else in pam.d ? I try to use pam_authz_search, but anyone can make
> login.
You need to put pam_authz_search in /etc/nslcd.conf and restart nslcd.
You can run nslcd with the -d option to see what is going on (there
should be a nslcd_pam_authz request coming in. For a successful
authorisation you should see something like this:
DEBUG:
nslcd_pam_authz("arthur","uid=arthur,ou=people,dc=test,dc=tld","su","nobody","","/dev/pts/5")
DEBUG: myldap_search(base="dc=test,dc=tld",
filter="(&(objectClass=posixGroup)(cn=testgroup)(memberUid=arthur))"
For a failed one something like this:
DEBUG:
nslcd_pam_authz("arthur","uid=arthur,ou=people,dc=test,dc=tld","su","nobody","","/dev/pts/5")
DEBUG: myldap_search(base="dc=test,dc=tld",
filter="(&(objectClass=posixGroup)(cn=testgroup)(memberUid=arthur))")
DEBUG: ldap_result(): end of results
no entry found
DEBUG: LDAP authorisation check failed
The upcoming release should output a little more verbose debug logging
when doing an authorisation search. If the nslcd_pam_authz doesn't show
up in the debug output the PAM module is probably not asked to do
authorisation (account in pam.d).
Alternatively you can probably also use the pam_succeed_if module and
put something like the following in your PAM stack (untested):
account pam_succeed_if.so user ingroup remo_meso
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
- Filtering users by group, (continued)
