Re: Filter by group seens to be not working

[Otavio Campos Velho Gloria <og [at] e-trust.com.br>]

Hello guys,

   With Arthur de Jong sugest I'm cloud get this working.
   If user are not in logonDRAGUNOV group, the ssh window is closed.
   If user are in logonDRAGUNOV group, bash is accessed.

   It returns an error because the group id isn't found on server, but the essential is to filter access by group, and it's working because of your help guys. Thank's a lot :D

   My /etc/nslcd.conf file working configuration is (added pam_authz_search):

#===============================================================================
# RUN OPTIONS
#===============================================================================

uid nslcd
gid ldap

#===============================================================================
# TIMING/RECONNECT OPTIONS
#===============================================================================

# Tempo de conexao com o ldap
# Default: bind_timelimit 10
bind_timelimit 3

# Tempo de espera pela resposta
# Default: timelimit 0 (espera o resto da vida)
timelimit 60

# Tempo de inatividade da conexao com o ldap para cortar
# Default: Nao cortar
idle_timelimit 600

# Tempo de espera para tentar reconectar
reconnect_sleeptime 1

# Tempo que tenta reconectar, depois da por indisponivel
reconnect_retrytime 10

#===============================================================================
# SSL/TLS OPTIONS
#===============================================================================

ssl on
tls_reqcert allow
tls_cacertdir /etc/openldap/cacerts

#===============================================================================
# GENERAL CONNECTION OPTIONS
#===============================================================================

uri ldaps://ldap.intranet.e-trust.com.br/

#===============================================================================
# SEARCH/MAPPING OPTIONS
#===============================================================================

base dc=e-trust,dc=com,dc=br

scope group  sub
scope passwd sub
scope hosts  sub
scope shadow sub

base group  ou=Groups,dc=e-trust,dc=com,dc=br
base passwd ou=People,dc=e-trust,dc=com,dc=br
base hosts  ou=People,dc=e-trust,dc=com,dc=br
base shadow ou=People,dc=e-trust,dc=com,dc=br

filter passwd (objectClass=posixAccount)
filter group  (&(objectClass=posixGroup)(cn=logonDRAGUNOV))

map    group  member memberUID

#===============================================================================
# OTHER OPTIONS
#===============================================================================

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdmi,nslcd

pam_authz_search (&(objectClass=posixGroup)(cn=logonDRAGUNOV)(|(memberUid=$username)(memberUid=uid=$username,ou=People,dc=e-trust,dc=com,dc=br)))
'

On 15/12/2014 17:52, Arthur de Jong wrote:

On Mon, 2014-12-15 at 11:17 -0200, Otavio Campos Velho Gloria wrote:

I believe that my configuration is write, because it's consulting
correctily, but when try to filter by group it's not working. On nslcd
debug I saw that group filter is doing it's job, but even when it
returns no result (user not on this group) the system permits the
access.

Group membership is probably best configured with pam_group.

filter group  (&(objectClass=posixGroup)(cn=logonVISAO))

This means that only groups that match the above filter are found on the
system, it does not mean that only users that match this group can
login.

You should look into pam_authz_search with something like:

(&(objectClass=posixGroup)(cn=logonVISAO)(memberUid=$username))

Note that this is only applied to authorisation checks are using PAM. I
think this should also work in SSH when using key-based authentication.

dn: cn=logonDRAGUNOV,ou=Groups,dc=e-trust,dc=com,dc=br
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: logonDRAGUNOV
gidNumber: 61208
memberUid: uid=ds,ou=People,dc=e-trust,dc=com,dc=br
memberUid: ds

This is a bit weird. The memberUid attribute should include just the
username. The member (or uniqueMember) attribute is supposed to contain
a DN.

--

Otávio Campos Velho www.e-trust.com.br Porto Alegre: +55 (51) 2117-1000 São Paulo: +55 (11) 5521-2021

Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a E-TRUST, enviando um e-mail para suporte [at] e-trust.com.br. Opiniões, conclusões ou informações contidas nesta mensagem não necessariamente refletem a posição oficial da E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of the intended recipients only. If you are not an intended recipient then you should not disseminate, copy, or take any action based on its contents. If you have received this message in error then please notify E-TRUST by sending an e-mail message to suporte [at] e-trust.com.br immediately. Views and opinions expressed in this message do not necessarily reflect the position of E-TRUST. If this message is digitally signed, its authenticity can be confirmed by E-TRUST Private Certificate Authority, available at www.e-trust.com.br.

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/