lists.arthurdejong.org
RSS feed

Filter by group seens to be not working

[Date Prev][Date Next] [Thread Prev][Thread Next]

Filter by group seens to be not working



Hi guys,

   I'm needing some help.
   I've configured a server to authenticate throuh a LDAP server, an it's working; users are able to access the server via ssh. Although we need to restric access by groups; were we create one group to each server and put on this group all user that have permission to access this server.
   I believe that my configuration is write, because it's consulting correctily, but when try to filter by group it's not working. On nslcd debug I saw that group filter is doing it's job, but even when it returns no result (user not on this group) the system permits the access.

    User og is on group logonDRAGUNOV, but not on group logonVISAO.

    How can I get this working? I'm using CentOS 7

----------------------------------------------------------

Packages:

nss-pam-ldapd-0.8.13-8.el7.x86_64
openldap-2.4.39-3.el7.x86_64
penldap-clients-2.4.39-3.el7.x86_64
pam-1.1.8-9.el7.x86_64
pam_pkcs11-0.6.2-17.el7.x86_64

----------------------------------------------------------

/etc/openldap/ldap.conf:

URI ldaps://ldap.intranet.e-trust.com.br
BASE dc=e-trust,dc=com,dc=br
TLS_CACERTDIR /etc/openldap/cacerts

----------------------------------------------------------

/etc/openldap/cacerts:

-rw-r--r--. 1 nslcd ldap 4446 Dec  9 14:37 1
lrwxrwxrwx  1 root  root   10 Dec 11 12:46 5a272d0c.0 -> d540ba5e.0
lrwxrwxrwx  1 root  root    7 Dec 11 12:46 5a272d0c.1 -> nss.crt
lrwxrwxrwx  1 root  root   10 Dec 11 12:46 65fda68d.0 -> 6fbb64e7.0
lrwxrwxrwx  1 root  root    6 Dec 11 12:46 65fda68d.1 -> ca.pem
lrwxrwxrwx  1 root  root   10 Dec 11 12:46 6ae8e84b.0 -> cacert.pem
-rw-r--r--. 1 nslcd ldap 2534 Mar 23  2010 6fbb64e7.0
drwxr-xr-x. 2 nslcd ldap 4096 Dec 10 10:01 backup
-rw-r--r--. 1 nslcd ldap 2455 Mar 17  2014 cacert.pem
-rw-r--r--. 1 nslcd ldap 2534 Mar 23  2010 ca.pem
-rw-r--r--. 1 nslcd ldap 2387 Mar 23  2010 d540ba5e.0
-rw-r--r--. 1 nslcd ldap 2387 Mar 23  2010 nss.crt
-rw-r--r--. 1 nslcd ldap 1676 Mar 23  2010 nss.key

----------------------------------------------------------

nscld.conf:

#===============================================================================
# RUN OPTIONS
#===============================================================================

uid nslcd
gid ldap


#===============================================================================
# TIMING/RECONNECT OPTIONS
#===============================================================================

# Tempo de conexao com o ldap
# Default: bind_timelimit 10
bind_timelimit 3

# Tempo de espera pela resposta
# Default: timelimit 0 (espera o resto da vida)
timelimit 60

# Tempo de inatividade da conexao com o ldap para cortar
# Default: Nao cortar
idle_timelimit 600

# Tempo de espera para tentar reconectar
reconnect_sleeptime 1

# Tempo que tenta reconectar, depois da por indisponivel
reconnect_retrytime 10


#===============================================================================
# SSL/TLS OPTIONS
#===============================================================================


ssl on
tls_reqcert allow
tls_cacertdir /etc/openldap/cacerts


#===============================================================================
# GENERAL CONNECTION OPTIONS
#===============================================================================

uri ldaps://ldap.intranet.e-trust.com.br/


#===============================================================================
# SEARCH/MAPPING OPTIONS
#===============================================================================

base dc=e-trust,dc=com,dc=br

scope group  sub
scope passwd sub
scope hosts  sub
scope shadow sub

base group  ou=Groups,dc=e-trust,dc=com,dc=br
base passwd ou=People,dc=e-trust,dc=com,dc=br
base hosts  ou=People,dc=e-trust,dc=com,dc=br
base shadow ou=People,dc=e-trust,dc=com,dc=br

filter passwd (objectClass=posixAccount)
filter group  (&(objectClass=posixGroup)(cn=logonVISAO))
#filter group  (&(objectClass=posixGroup)(cn=logonDRAGUNOV))

map    group  member memberUID


#===============================================================================
# OTHER OPTIONS
#===============================================================================

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdmi,nslcd

----------------------------------------------------------

/etc/pam.d/sshd:

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin

----------------------------------------------------------

/etc/pam.d/password-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_ldap.so use_first_pass debug
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok debug
password    required      pam_deny.so

session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

----------------------------------------------------------

/etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_ldap.so
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

----------------------------------------------------------

ldapsearch -x -H 'ldaps://ldap.intranet.e-trust.com.br' -b 'ou=People,dc=e-trust,dc=com,dc=br' "(uid=og)"

# extended LDIF
#
# LDAPv3
# base <ou=People,dc=e-trust,dc=com,dc=br> with scope subtree
# filter: (uid=og)
# requesting: ALL
#

# og, People, e-trust.com.br
dn: uid=og,ou=People,dc=e-trust,dc=com,dc=br
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: Otavio Campos Velho Gloria
sn: og
uid: og
uidNumber: 61676
gidNumber: 513
homeDirectory: /home/og
gecos: Otavio Campos Velho Gloria
description: Otavio Campos Velho Gloria
loginShell: /bin/bash

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

-----------------------------------------------------------

ldapsearch -x -H 'ldaps://ldap.intranet.e-trust.com.br' -b 'ou=Groups,dc=e-trust,dc=com,dc=br' "(cn=logonDRAGUNOV)"

# extended LDIF
#
# LDAPv3
# base <ou=Groups,dc=e-trust,dc=com,dc=br> with scope subtree
# filter: (cn=logonDRAGUNOV)
# requesting: ALL
#

# logonDRAGUNOV, Groups, e-trust.com.br
dn: cn=logonDRAGUNOV,ou=Groups,dc=e-trust,dc=com,dc=br
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: logonDRAGUNOV
gidNumber: 61208
memberUid: uid=ds,ou=People,dc=e-trust,dc=com,dc=br
memberUid: ds
memberUid: uid=vbs,ou=People,dc=e-trust,dc=com,dc=br
memberUid: vbs
memberUid: uid=cp,ou=People,dc=e-trust,dc=com,dc=br
memberUid: cp
memberUid: uid=dtr,ou=People,dc=e-trust,dc=com,dc=br
memberUid: dtr
memberUid: uid=ap,ou=People,dc=e-trust,dc=com,dc=br
memberUid: ap
memberUid: uid=azo,ou=People,dc=e-trust,dc=com,dc=br
memberUid: azo
memberUid: uid=mrb,ou=People,dc=e-trust,dc=com,dc=br
memberUid: mrb
memberUid: uid=rb,ou=People,dc=e-trust,dc=com,dc=br
memberUid: rb
memberUid: uid=ws,ou=People,dc=e-trust,dc=com,dc=br
memberUid: ws
memberUid: uid=rlp,ou=People,dc=e-trust,dc=com,dc=br
memberUid: rlp
memberUid: uid=mf,ou=People,dc=e-trust,dc=com,dc=br
memberUid: mf
memberUid: uid=jps,ou=People,dc=e-trust,dc=com,dc=br
memberUid: dk
memberUid: uid=dk,ou=People,dc=e-trust,dc=com,dc=br
memberUid: hrs
memberUid: uid=hrs,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=cs,ou=People,dc=e-trust,dc=com,dc=br
memberUid: cs
memberUid: uid=sl,ou=People,dc=e-trust,dc=com,dc=br
memberUid: sl
memberUid: lcd
memberUid: rls
memberUid: wrs
memberUid: uid=wrs,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=rls,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=lcd,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=og,ou=People,dc=e-trust,dc=com,dc=br

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

----------------------------------------------------------

ldapsearch -x -H 'ldaps://ldap.intranet.e-trust.com.br' -b 'ou=Groups,dc=e-trust,dc=com,dc=br' "(cn=logonVISAO)"

# extended LDIF
#
# LDAPv3
# base <ou=Groups,dc=e-trust,dc=com,dc=br> with scope subtree
# filter: (cn=logonVISAO)
# requesting: ALL
#

# logonVISAO, Groups, e-trust.com.br
dn: cn=logonVISAO,ou=Groups,dc=e-trust,dc=com,dc=br
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: logonVISAO
gidNumber: 61054
memberUid: uid=ds,ou=People,dc=e-trust,dc=com,dc=br
memberUid: ds
memberUid: uid=vbs,ou=People,dc=e-trust,dc=com,dc=br
memberUid: vbs
memberUid: uid=cp,ou=People,dc=e-trust,dc=com,dc=br
memberUid: cp
memberUid: uid=mc,ou=People,dc=e-trust,dc=com,dc=br
memberUid: mc
memberUid: uid=em,ou=People,dc=e-trust,dc=com,dc=br
memberUid: em
memberUid: uid=dtr,ou=People,dc=e-trust,dc=com,dc=br
memberUid: dtr
memberUid: uid=ap,ou=People,dc=e-trust,dc=com,dc=br
memberUid: ap
memberUid: uid=mm,ou=People,dc=e-trust,dc=com,dc=br
memberUid: mm
memberUid: uid=er,ou=People,dc=e-trust,dc=com,dc=br
memberUid: er
memberUid: uid=rw,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=azo,ou=People,dc=e-trust,dc=com,dc=br
memberUid: azo
memberUid: uid=mrb,ou=People,dc=e-trust,dc=com,dc=br
memberUid: mrb
memberUid: uid=cr,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=rb,ou=People,dc=e-trust,dc=com,dc=br
memberUid: rb
memberUid: uid=ieo,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=dso,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=dk,ou=People,dc=e-trust,dc=com,dc=br
memberUid: dk
memberUid: uid=pes,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=ws,ou=People,dc=e-trust,dc=com,dc=br
memberUid: ws
memberUid: uid=rlp,ou=People,dc=e-trust,dc=com,dc=br
memberUid: rlp
memberUid: uid=esa,ou=People,dc=e-trust,dc=com,dc=br
memberUid: esa
memberUid: uid=vc,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=jlm,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=mf,ou=People,dc=e-trust,dc=com,dc=br
memberUid: mf
memberUid: uid=lr,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=it,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=jr,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=dar,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=ccb,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=mcv,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=jps,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=wm,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=lg,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=cs,ou=People,dc=e-trust,dc=com,dc=br
memberUid: cs
memberUid: hrs
memberUid: uid=hrs,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=cfs,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=vls,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=ess,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=mt,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=agm,ou=People,dc=e-trust,dc=com,dc=br
memberUid: ssl
memberUid: uid=ssl,ou=People,dc=e-trust,dc=com,dc=br
memberUid: lda
memberUid: uid=lda,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=rbv,ou=People,dc=e-trust,dc=com,dc=br
memberUid: sl
memberUid: uid=sl,ou=People,dc=e-trust,dc=com,dc=br
memberUid: lcd
memberUid: rls
memberUid: wrs
memberUid: uid=wrs,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=rls,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=lcd,ou=People,dc=e-trust,dc=com,dc=br
memberUid: ja
memberUid: uid=ja,ou=People,dc=e-trust,dc=com,dc=br
memberUid: uid=dap,ou=People,dc=e-trust,dc=com,dc=br
memberUid: yg
memberUid: uid=yg,ou=People,dc=e-trust,dc=com,dc=br
memberUid: dap

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

----------------------------------------------------------

nslcd -d:

nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,3)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts")
nslcd: DEBUG: add_uri(ldaps://ldap.intranet.e-trust.com.br/)
nslcd: /etc/nslcd.conf:77: user 'ldap' does not exist
nslcd: /etc/nslcd.conf:77: user 'named' does not exist
nslcd: /etc/nslcd.conf:77: user 'haldaemon' does not exist
nslcd: /etc/nslcd.conf:77: user 'radvd' does not exist
nslcd: /etc/nslcd.conf:77: user 'tomcat' does not exist
nslcd: /etc/nslcd.conf:77: user 'radiusd' does not exist
nslcd: /etc/nslcd.conf:77: user 'news' does not exist
nslcd: /etc/nslcd.conf:77: user 'mailman' does not exist
nslcd: /etc/nslcd.conf:77: user 'gdmi' does not exist
nslcd: version 0.8.13 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: initgroups("nslcd",55) done
nslcd: DEBUG: setgid(55) done
nslcd: DEBUG: setuid(65) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [8b4567] <passwd="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [8b4567] <passwd="og"> DEBUG: ldap_initialize(ldaps://ldap.intranet.e-trust.com.br/)
nslcd: [8b4567] <passwd="og"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd="og"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd="og"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd="og"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,60)
nslcd: [8b4567] <passwd="og"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,60)
nslcd: [8b4567] <passwd="og"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,60)
nslcd: [8b4567] <passwd="og"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="og"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="og"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [8b4567] <passwd="og"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap.intranet.e-trust.com.br/")
nslcd: [8b4567] <passwd="og"> DEBUG: set_socket_timeout(60,500000)
nslcd: [8b4567] <passwd="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [8b4567] <passwd="og"> (re)loading /etc/nsswitch.conf
nslcd: [8b4567] <passwd="og"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [7b23c6] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [7b23c6] <passwd="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [7b23c6] <passwd="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [7b23c6] <passwd="og"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [3c9869] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [3c9869] <passwd="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [3c9869] <passwd="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [3c9869] <passwd="og"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [334873] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [334873] <shadow="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=shadowAccount)(uid=og))")
nslcd: [334873] <shadow="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [334873] <shadow="og"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [b0dc51] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [b0dc51] <passwd="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [b0dc51] <passwd="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [b0dc51] <passwd="og"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [495cff] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [495cff] <authc="og"> DEBUG: nslcd_pam_authc("og","sshd","***")
nslcd: [495cff] <authc="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [495cff] <authc="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [495cff] <authc="og"> DEBUG: myldap_search(base="uid=og,ou=People,dc=e-trust,dc=com,dc=br", filter="(objectClass=*)")
nslcd: [495cff] <authc="og"> DEBUG: ldap_initialize(ldaps://ldap.intranet.e-trust.com.br/)
nslcd: [495cff] <authc="og"> DEBUG: ldap_set_rebind_proc()
nslcd: [495cff] <authc="og"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [495cff] <authc="og"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [495cff] <authc="og"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,60)
nslcd: [495cff] <authc="og"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,60)
nslcd: [495cff] <authc="og"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,60)
nslcd: [495cff] <authc="og"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [495cff] <authc="og"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [495cff] <authc="og"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [495cff] <authc="og"> DEBUG: ldap_simple_bind_s("uid=og,ou=People,dc=e-trust,dc=com,dc=br","***") (uri="ldaps://ldap.intranet.e-trust.com.br/")
nslcd: [495cff] <authc="og"> DEBUG: set_socket_timeout(60,500000)
nslcd: [495cff] <authc="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [495cff] <authc="og"> DEBUG: set_socket_timeout(30,0)
nslcd: [495cff] <authc="og"> DEBUG: ldap_unbind()
nslcd: [495cff] <authc="og"> DEBUG: bind successful
nslcd: [495cff] <authc="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=shadowAccount)(uid=og))")
nslcd: [495cff] <authc="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [e8944a] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [e8944a] <passwd="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [e8944a] <passwd="og"> DEBUG: ldap_initialize(ldaps://ldap.intranet.e-trust.com.br/)
nslcd: [e8944a] <passwd="og"> DEBUG: ldap_set_rebind_proc()
nslcd: [e8944a] <passwd="og"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [e8944a] <passwd="og"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [e8944a] <passwd="og"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,60)
nslcd: [e8944a] <passwd="og"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,60)
nslcd: [e8944a] <passwd="og"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,60)
nslcd: [e8944a] <passwd="og"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [e8944a] <passwd="og"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [e8944a] <passwd="og"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [e8944a] <passwd="og"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap.intranet.e-trust.com.br/")
nslcd: [e8944a] <passwd="og"> DEBUG: set_socket_timeout(60,500000)
nslcd: [e8944a] <passwd="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [e8944a] <passwd="og"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [5558ec] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [5558ec] <shadow="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=shadowAccount)(uid=og))")
nslcd: [5558ec] <shadow="og"> DEBUG: ldap_initialize(ldaps://ldap.intranet.e-trust.com.br/)
nslcd: [5558ec] <shadow="og"> DEBUG: ldap_set_rebind_proc()
nslcd: [5558ec] <shadow="og"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [5558ec] <shadow="og"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [5558ec] <shadow="og"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,60)
nslcd: [5558ec] <shadow="og"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,60)
nslcd: [5558ec] <shadow="og"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,60)
nslcd: [5558ec] <shadow="og"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [5558ec] <shadow="og"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [5558ec] <shadow="og"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [5558ec] <shadow="og"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap.intranet.e-trust.com.br/")
nslcd: [5558ec] <shadow="og"> DEBUG: set_socket_timeout(60,500000)
nslcd: [5558ec] <shadow="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [5558ec] <shadow="og"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [8e1f29] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [8e1f29] <passwd="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [8e1f29] <passwd="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [8e1f29] <passwd="og"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [e87ccd] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [e87ccd] <authz="og"> DEBUG: nslcd_pam_authz("og","sshd","","austin.intranet.e-trust.com.br","ssh")
nslcd: [e87ccd] <authz="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [e87ccd] <authz="og"> DEBUG: ldap_initialize(ldaps://ldap.intranet.e-trust.com.br/)
nslcd: [e87ccd] <authz="og"> DEBUG: ldap_set_rebind_proc()
nslcd: [e87ccd] <authz="og"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [e87ccd] <authz="og"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [e87ccd] <authz="og"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,60)
nslcd: [e87ccd] <authz="og"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,60)
nslcd: [e87ccd] <authz="og"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,60)
nslcd: [e87ccd] <authz="og"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [e87ccd] <authz="og"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [e87ccd] <authz="og"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [e87ccd] <authz="og"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap.intranet.e-trust.com.br/")
nslcd: [e87ccd] <authz="og"> DEBUG: set_socket_timeout(60,500000)
nslcd: [e87ccd] <authz="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [e87ccd] <authz="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=shadowAccount)(uid=og))")
nslcd: [e87ccd] <authz="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [1b58ba] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [1b58ba] <group/member="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [1b58ba] <group/member="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [1b58ba] <group/member="og"> DEBUG: myldap_search(base="ou=Groups,dc=e-trust,dc=com,dc=br", filter="(&(&(objectClass=posixGroup)(cn=logonVISAO))(|(memberUid=og)(memberUID=uid=og,ou=People,dc=e-trust,dc=com,dc=br)))")
nslcd: [1b58ba] <group/member="og"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [7ed7ab] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [7ed7ab] <passwd="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [7ed7ab] <passwd="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [7ed7ab] <passwd="og"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [b141f2] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [b141f2] <passwd="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [b141f2] <passwd="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [b141f2] <passwd="og"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [b71efb] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [b71efb] <passwd="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [b71efb] <passwd="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [b71efb] <passwd="og"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [e2a9e3] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [e2a9e3] <passwd="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [e2a9e3] <passwd="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [e2a9e3] <passwd="og"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [45e146] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [45e146] <passwd="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [45e146] <passwd="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [45e146] <passwd="og"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [5f007c] DEBUG: connection from pid=426 uid=0 gid=0
nslcd: [5f007c] <passwd=61676> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uidNumber=61676))")
nslcd: [5f007c] <passwd=61676> DEBUG: ldap_initialize(ldaps://ldap.intranet.e-trust.com.br/)
nslcd: [5f007c] <passwd=61676> DEBUG: ldap_set_rebind_proc()
nslcd: [5f007c] <passwd=61676> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [5f007c] <passwd=61676> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [5f007c] <passwd=61676> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,60)
nslcd: [5f007c] <passwd=61676> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,60)
nslcd: [5f007c] <passwd=61676> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,60)
nslcd: [5f007c] <passwd=61676> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [5f007c] <passwd=61676> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [5f007c] <passwd=61676> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [5f007c] <passwd=61676> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap.intranet.e-trust.com.br/")
nslcd: [5f007c] <passwd=61676> DEBUG: set_socket_timeout(60,500000)
nslcd: [5f007c] <passwd=61676> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [5f007c] <passwd=61676> DEBUG: ldap_result(): end of results (1 total)
nslcd: [d062c2] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [d062c2] <sess_o="og"> DEBUG: nslcd_pam_sess_o("og","sshd","ssh","austin.intranet.e-trust.com.br","")
nslcd: [200854] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [200854] <passwd="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [200854] <passwd="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [200854] <passwd="og"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [b127f8] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [b127f8] <passwd="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [b127f8] <passwd="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [b127f8] <passwd="og"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [16231b] DEBUG: connection from pid=4701 uid=0 gid=513
nslcd: [16231b] <group/member="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [16231b] <group/member="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [16231b] <group/member="og"> DEBUG: myldap_search(base="ou=Groups,dc=e-trust,dc=com,dc=br", filter="(&(&(objectClass=posixGroup)(cn=logonVISAO))(|(memberUid=og)(memberUID=uid=og,ou=People,dc=e-trust,dc=com,dc=br)))")
nslcd: [16231b] <group/member="og"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [16e9e8] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [16e9e8] <passwd=61676> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uidNumber=61676))")
nslcd: [16e9e8] <passwd=61676> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [16e9e8] <passwd=61676> DEBUG: ldap_result(): end of results (1 total)
nslcd: [90cde7] DEBUG: connection from pid=4699 uid=0 gid=0
nslcd: [90cde7] <passwd="og"> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uid=og))")
nslcd: [90cde7] <passwd="og"> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [90cde7] <passwd="og"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [ef438d] DEBUG: connection from pid=4702 uid=61676 gid=513
nslcd: [ef438d] <passwd=61676> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uidNumber=61676))")
nslcd: [ef438d] <passwd=61676> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [ef438d] <passwd=61676> DEBUG: ldap_result(): end of results (1 total)
nslcd: [0e0f76] DEBUG: connection from pid=4704 uid=61676 gid=513
nslcd: [0e0f76] <passwd=61676> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uidNumber=61676))")
nslcd: [0e0f76] <passwd=61676> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [0e0f76] <passwd=61676> DEBUG: ldap_result(): end of results (1 total)
nslcd: [52255a] DEBUG: connection from pid=4708 uid=61676 gid=513
nslcd: [52255a] <group=513> DEBUG: myldap_search(base="ou=Groups,dc=e-trust,dc=com,dc=br", filter="(&(&(objectClass=posixGroup)(cn=logonVISAO))(gidNumber=513))")
nslcd: [52255a] <group=513> DEBUG: ldap_result(): end of results (0 total)
nslcd: [9cf92e] DEBUG: connection from pid=4710 uid=61676 gid=513
nslcd: [9cf92e] <passwd=61676> DEBUG: myldap_search(base="ou=People,dc=e-trust,dc=com,dc=br", filter="(&(objectClass=posixAccount)(uidNumber=61676))")
nslcd: [9cf92e] <passwd=61676> DEBUG: ldap_result(): uid=og,ou=People,dc=e-trust,dc=com,dc=br
nslcd: [9cf92e] <passwd=61676> DEBUG: ldap_result(): end of results (1 total)

----------------------------------------------------------

/var/log/secure:

Dec 14 08:40:10 lab2-ldapauth sshd[4699]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=austin.intranet.e-trust.com.br  user=og
Dec 14 08:40:10 lab2-ldapauth sshd[4699]: pam_ldap(sshd:auth): nslcd authentication; user=og
Dec 14 08:40:10 lab2-ldapauth sshd[4699]: pam_ldap(sshd:auth): authentication succeeded
Dec 14 08:40:10 lab2-ldapauth sshd[4699]: Accepted password for og from 192.168.2.183 port 50134 ssh2

----------------------------------------------------------

/var/log/pam_debug.log:

Dec 14 08:40:10 lab2-ldapauth sshd[4699]: pam_ldap(sshd:auth): nslcd authentication; user=og
Dec 14 08:40:10 lab2-ldapauth sshd[4699]: pam_ldap(sshd:auth): authentication succeeded
Dec 14 08:40:10 lab2-ldapauth sshd[4699]: Accepted password for og from 192.168.2.183 port 50134 ssh2
Dec 14 08:40:10 lab2-ldapauth systemd: Created slice user-61676.slice.
Dec 14 08:40:10 lab2-ldapauth systemd: Starting Session 77 of user og.
Dec 14 08:40:10 lab2-ldapauth systemd-logind: New session 77 of user og.
Dec 14 08:40:10 lab2-ldapauth systemd: Started Session 77 of user og.
Dec 14 08:40:10 lab2-ldapauth sshd[4699]: pam_unix(sshd:session): session opened for user og by (uid=0)
Dec 14 08:40:10 lab2-ldapauth sshd[4699]: pam_unix(sshd:session): session opened for user og by (uid=0)

--
Otávio Campos Velho
www.e-trust.com.br
Porto Alegre: +55 (51) 2117-1000
São Paulo: +55 (11) 5521-2021

Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a E-TRUST, enviando um e-mail para suporte [at] e-trust.com.br. Opiniões, conclusões ou informações contidas nesta mensagem não necessariamente refletem a posição oficial da E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of the intended recipients only. If you are not an intended recipient then you should not disseminate, copy, or take any action based on its contents. If you have received this message in error then please notify E-TRUST by sending an e-mail message to suporte [at] e-trust.com.br immediately. Views and opinions expressed in this message do not necessarily reflect the position of E-TRUST. If this message is digitally signed, its authenticity can be confirmed by E-TRUST Private Certificate Authority, available at www.e-trust.com.br.

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/