lists.arthurdejong.org
RSS feed

Re: nslcd.conf - ldap_result() failed: No such object: cdcLdapSearch :System error (cdcRC=28)

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd.conf - ldap_result() failed: No such object: cdcLdapSearch :System error (cdcRC=28)

On Tue, 2019-09-17 at 13:39 +0000, CHOUDARY, ANIRUDH (Ext) wrote:
> Now we are trying to limit access to certain LDAP groups, by using
> pam_authz_search and filter on passwd.
> 
> But this does not work. Could you please help us in some examples of
> such implementations.
> 
> We are using the following settings to allow just one group.
> 
> pam_authz_search (&(objectClass=posixGroup)(cn=MYGROUP1)(member=$dn))
> 
> filter passwd (&(objectClass=posixAccount)(cn=MYGROUP1))

The filter option is applied to name lookups, not just for the
authentication lookups. This means that with filter passwd you can
configure which users are known on the system, with pam_authz_search
you can limit who is allowed to log in.

Sadly, an LDAP search filter does not directly support checking group
membership for users. If the user is in a specific subtree of the LDAP
DIT you can use the "base passwd" option to limit the search. Another
alternative is to have the LDAP server expose a memberOf attribute in
user entries that expose which groups a user is a member of. How to
enable this is varies across LDAP server implementations, but in
OpenLDAP there is a memberof overlay.

The pam_authz_search option should be sufficient to only allow users in
the specified group to log in. Users that cannot be filtered out with
"filter passwd" but are not allowed by pam_authz_search should not be
able to log in but will be known on the system (e.g. can be found with
getent passwd).

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --