lists.arthurdejong.org
RSS feed

Using filter passwd

[Date Prev][Date Next] [Thread Prev][Thread Next]

Using filter passwd

Dear community,

I am trying to use libpam-ldapd and libnss-ldapd package on Debian Squeeze.
I am using nslcd.

It works fine the getent passwd command return the users from the LDAP.

I need to specify user by user who can have access to each server.
In order to achieve this in our ldap we created a host attribute for each user.

For exemple my  user1 must have  access to server1 and server2 :

Attrribute            Value
host                    server1
host                    server2

We created a host attribute to give access to all server for system administrators, we call it 'all'.

When I used libpam-ldap I used the following syntax (/etc/pam_ldap.conf) :

pam_filter | (host=server1)(host=all)

With libpam-ldapd  (/etc/nslcd.conf) I tried the following :

filter passwd (| (host=server1)(host=all))

The output of 'getent passwd' is only showing users with at least one of the attribute, this is what I want.

My LDAP is like :

dc=exemple,dc=org
         -> o=service1
              -> ou=Users
         -> o=service2
              -> ou=Users

The issue is that I created a test user in the service2 with the attribute of the host, but the ssh login failed.
This work for my user which is in o=service1,ou=Users

here is the output debug of nslcd :


nslcd: [b0dc51] DEBUG: connection from pid=21377 uid=0 gid=0
nslcd: [b0dc51] DEBUG: nslcd_shadow_byname(hugo.test)
nslcd: [b0dc51] DEBUG: myldap_search(base="dc=exemple,dc=org", filter="(&(objectClass=shadowAccount)(uid=hugo.test))")
nslcd: [b0dc51] DEBUG: ldap_initialize(ldaps://ldap.exemple.org/)
nslcd: [b0dc51] DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [b0dc51] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap.exemple.org/")
nslcd: [b0dc51] DEBUG: ldap_result(): end of results
nslcd: [495cff] DEBUG: connection from pid=21377 uid=0 gid=0
nslcd: [495cff] DEBUG: nslcd_pam_authc("hugo.test","","sshd","***")
nslcd: [495cff] DEBUG: myldap_search(base="dc=exemple,dc=org", filter="(&(| (host=mut)(host=host1))(uid=hugo.test))")
nslcd: [495cff] DEBUG: myldap_search(base="uid=hugo.test,ou=Users,o=service2,dc=exemple,dc=org", filter="(| (host=mut)(host=host1))")
nslcd: [495cff] DEBUG: ldap_initialize(ldaps://ldap.exemple.org/)
nslcd: [495cff] DEBUG: ldap_set_rebind_proc()
nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [495cff] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [495cff] DEBUG: ldap_simple_bind_s("uid=hugo.test,ou=Users,o=service2,dc=exemple,dc=org","***") (uri="ldaps://ldap.exemple.org/")
nslcd: [495cff] ldap_result() failed: No such object
nslcd: [495cff] lookup of user uid=hugo.test,ou=Users,o=service2,dc=exemple,dc=org failed: No such object
nslcd: [495cff] DEBUG: ldap_unbind()


If you need more information feel free to ask.

Any help is appreciated,
Thanks

Hugo












-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users