I was hoping some PAM/LDAP gurus may be able to help me out here. I've recently set up an LDAP directory on Ubuntu Server to hold accounts for both my clients (for use with web-based systems) and staff (who will need to login via SSH.)
The LDAP authentication is working perfectly. However I cannot get the account restrictions working: staff accounts will have IDs between 2001
and 2999
and will be a member of the ssh-users
group to allow them to login to servers.
The restrictions in question are in /etc/ldap.conf
, and are pam_min_uid
, pam_max_uid
and pam_groupdn
.
pam_groupdn
contains the full DN to my ssh-users
group. pam_min_uid
= 2000
and pam_max_uid
= 2999
.
Now, I've managed to get them working by adding:
account [success=1 default=ignore] pam_ldap.so
above the pam_unix.so
line in /etc/pam.d/common-account
. However, the local Unix accounts can then NOT login: the SSH server kills the connection as soon as they try.
I've set the pam_ldap.so
module to sufficient
in the above file, but then the invalid users get a message saying they cannot login, but it logs them in anyway.
So, how can I set these account restrictions for LDAP users, while still allowing UNIX users to login?
As you can probably guess I'm a newbie to PAM, although I have managed to get the "automatically make home directories" module working :-)
Many thanks, Andy
PAM has the ability to restrict access based on an access control list (at least on Ubuntu) which, like kubanskamac's answer (+1) regards the groups as posix groups, whether they're stored in LDAP,
/etc/group
or NIS./etc/security/access.conf
is the access list file. In my file, I put at the end:This denies everyone except root, sysadmin and in the group ssh-users (which is in LDAP) wherever they login from (the second
ALL
).Then in my PAM account file (this IS an account module), I add at the very end:
which tells PAM to use this file. It works a treat :-)
I would simply use
to allow only specific groups (both for local and LDAP groups). This way you don't have to specify anything in
ldap.conf
.If you want to keep authorization your way, you shouldn't filter users on "account" pass. I believe you should rather do it on "auth" pass. Secondly, as you can see yourself, pam_unix processes both local and LDAP accounts (at least on the "account" pass), so it seems there is no need for pam_ldap at all.
EDIT: Thirdly, if you insist on having stuff on "account" pass (which I believe could have strange side effects), your sequence should end with: ..., "sufficient pam_ldap", "required pam_localuser", "required pam_unix". I mean, if you have any other modules, move them before pam_ldap - otherwise they would be ignored for LDAP accounts due to "sufficient" clause.
Just to add to @andy-shellam, here's my
common-account
file: