Hey everyone,
I've solved the id group error message. It was happening because
the option "filter group
(&(objectClass=posixGroup)(cn=logonDRAGUNOV))" was letting NSLCD
just consult logonDRAGUNOV group, so it cloudn't determine the name
of the group id presente in error message.
To solve this issue, I just remove the cn=logonDRAGUNOV from
group filter parameter, then NSLCD could discover the group needed
information.
Now parameter is: filter group (objectClass=posixGroup)
Error:
og [at] 192.168.2.222's password:
Creating directory '/home/og'.
id: cannot find name for group ID 513
[og@ldapauth ~]$
Before:
[root@ldapauth] id og
uid=61677(og) gid=513,groups=61209(logonDRAGUNOV)
Now:
[root@ldapauth] id og
uid=61677(og) gid=513(Domain Users) groups=513(Domain
Users),61027(JJJJJJ),61041(ZZZZZZ),61047(logonYYYY),61045(logonXXXX),61209(logonDRAGUNOV)
On 16/12/2014 10:36, Otavio Campos
Velho Gloria wrote:
Hello guys,
With Arthur de Jong sugest I'm cloud get this working.
If user are not in logonDRAGUNOV group, the ssh window is
closed.
If user are in logonDRAGUNOV group, bash is accessed.
It returns an error because the group id isn't found on server,
but the essential is to filter access by group, and it's working
because of your help guys. Thank's a lot :D
My /etc/nslcd.conf file working configuration is (added
pam_authz_search):
#===============================================================================
# RUN OPTIONS
#===============================================================================
uid nslcd
gid ldap
#===============================================================================
# TIMING/RECONNECT OPTIONS
#===============================================================================
# Tempo de conexao com o ldap
# Default: bind_timelimit 10
bind_timelimit 3
# Tempo de espera pela resposta
# Default: timelimit 0 (espera o resto da vida)
timelimit 60
# Tempo de inatividade da conexao com o ldap para cortar
# Default: Nao cortar
idle_timelimit 600
# Tempo de espera para tentar reconectar
reconnect_sleeptime 1
# Tempo que tenta reconectar, depois da por indisponivel
reconnect_retrytime 10
#===============================================================================
# SSL/TLS OPTIONS
#===============================================================================
ssl on
tls_reqcert allow
tls_cacertdir /etc/openldap/cacerts
#===============================================================================
# GENERAL CONNECTION OPTIONS
#===============================================================================
uri ldaps://ldap.intranet.e-trust.com.br/
#===============================================================================
# SEARCH/MAPPING OPTIONS
#===============================================================================
base dc=e-trust,dc=com,dc=br
scope group sub
scope passwd sub
scope hosts sub
scope shadow sub
base group ou=Groups,dc=e-trust,dc=com,dc=br
base passwd ou=People,dc=e-trust,dc=com,dc=br
base hosts ou=People,dc=e-trust,dc=com,dc=br
base shadow ou=People,dc=e-trust,dc=com,dc=br
filter passwd (objectClass=posixAccount)
filter group (&(objectClass=posixGroup)(cn=logonDRAGUNOV))
map group member memberUID
#===============================================================================
# OTHER OPTIONS
#===============================================================================
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdmi,nslcd
pam_authz_search
(&(objectClass=posixGroup)(cn=logonDRAGUNOV)(|(memberUid=$username)(memberUid=uid=$username,ou=People,dc=e-trust,dc=com,dc=br)))
'
On 15/12/2014 17:52, Arthur de Jong
wrote:
On Mon, 2014-12-15 at 11:17 -0200, Otavio Campos Velho Gloria wrote:
I believe that my configuration is write, because it's consulting
correctily, but when try to filter by group it's not working. On nslcd
debug I saw that group filter is doing it's job, but even when it
returns no result (user not on this group) the system permits the
access.
Group membership is probably best configured with pam_group.
filter group (&(objectClass=posixGroup)(cn=logonVISAO))
This means that only groups that match the above filter are found on the
system, it does not mean that only users that match this group can
login.
You should look into pam_authz_search with something like:
(&(objectClass=posixGroup)(cn=logonVISAO)(memberUid=$username))
Note that this is only applied to authorisation checks are using PAM. I
think this should also work in SSH when using key-based authentication.
dn: cn=logonDRAGUNOV,ou=Groups,dc=e-trust,dc=com,dc=br
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: logonDRAGUNOV
gidNumber: 61208
memberUid: uid=ds,ou=People,dc=e-trust,dc=com,dc=br
memberUid: ds
This is a bit weird. The memberUid attribute should include just the
username. The member (or uniqueMember) attribute is supposed to contain
a DN.
--
 |
Otávio
Campos Velho
www.e-trust.com.br
Porto Alegre: +55 (51) 2117-1000
São Paulo: +55 (11) 5521-2021
|
|
Esta mensagem
pode conter informações confidenciais ou privilegiadas. Se
você recebeu esta mensagem por engano, você não deve usar,
copiar, divulgar ou tomar qualquer atitude com base nestas
informações. Solicitamos que você apague a mensagem
imediatamente e avise a E-TRUST, enviando um e-mail para suporte [at] e-trust.com.br.
Opiniões, conclusões ou informações contidas nesta mensagem
não necessariamente refletem a posição oficial da E-TRUST.
Caso assinada digitalmente, a autenticidade desta mensagem
pode ser confirmada pela Autoridade Certificadora Privada
E-TRUST, disponível em www.e-trust.com.br.
This message may
contain privileged and confidential information for the use
of the intended recipients only. If you are not an intended
recipient then you should not disseminate, copy, or take any
action based on its contents. If you have received this
message in error then please notify E-TRUST by sending an
e-mail message to suporte [at] e-trust.com.br
immediately. Views and opinions expressed in this message do
not necessarily reflect the position of E-TRUST. If this
message is digitally signed, its authenticity can be
confirmed by E-TRUST Private Certificate Authority,
available at www.e-trust.com.br.
--
 |
Otávio Campos Velho
www.e-trust.com.br
Porto Alegre: +55 (51) 2117-1000
São Paulo: +55 (11) 5521-2021
|
|
Esta mensagem pode
conter informações confidenciais ou privilegiadas. Se você
recebeu esta mensagem por engano, você não deve usar, copiar,
divulgar ou tomar qualquer atitude com base nestas
informações. Solicitamos que você apague a mensagem
imediatamente e avise a E-TRUST, enviando um e-mail para
suporte [at] e-trust.com.br. Opiniões, conclusões ou informações
contidas nesta mensagem não necessariamente refletem a posição
oficial da E-TRUST. Caso assinada digitalmente, a
autenticidade desta mensagem pode ser confirmada pela
Autoridade Certificadora Privada E-TRUST, disponível em
www.e-trust.com.br.
This message may
contain privileged and confidential information for the use of
the intended recipients only. If you are not an intended
recipient then you should not disseminate, copy, or take any
action based on its contents. If you have received this
message in error then please notify E-TRUST by sending an
e-mail message to suporte [at] e-trust.com.br immediately. Views
and opinions expressed in this message do not necessarily
reflect the position of E-TRUST. If this message is digitally
signed, its authenticity can be confirmed by E-TRUST Private
Certificate Authority, available
at www.e-trust.com.br.
|
