Re: ssh public key auth using pam_ldap

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Tue, 2020-04-28 at 16:30 +0000, Dana, Jason T. wrote:
> I have successfully configured nslcd to query the AD/LDAP server and
> filter on a specific group. Unfortunately it does not appear to apply
> if the user is accessing the system using public key authentication.
> I have attempted a number of different sshd pam configuration changes
> and have added a pam_authz_search entry to nslcd.conf, but
> unfortunately none appear to be getting used.

If SSHD performs authentication when a valid SSH key is provided by the
user it will skip the authentication (auth) step of PAM. It can still
be configured to use PAM for the authorisation (account) phase. You
need to have `UsePAM yes` in sshd_config for that.

This should (assuming that the PAM stack is configured to ask the
pam_ldap module) apply the `pam_authz_search` option from nslcd.conf.

Note that nss-pam-ldapd comes with a pam_ldap.so module but there is
also a standalone module that has it's own configuration and does not
use nslcd. Be sure that your pam_ldap.so module is from nss-pam-ldapd.

You can add extra debugging to the PAM stack by adding `debug` at the
end of the pam_ldap.so line. You can also configure nslcd debugging by
either running it with the `-d` option or configure debug logging in
nslcd.conf (requires a 0.9 release).

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --