We use Active Directory (2003 and 2008) for all our users (70% Linux, 30% Windows). Normal user authentication works fine. I now have a situation where on a particular server I need to restrict the users that can login to members of a particular group in ADS. So I created the group and added the users in. Then I set in pam_ldap.conf
pam_groupdb cn=<group>,ou=Applications,dc=<domain>,dc=<tld>
and
pam_member_attribute memberOf
However, this does not seem to make any difference. I stopped nscd (just in case), but I can still log in using credentials of a user who is not a member of this group. Does anybody have experience with this?
There are other workarounds, but they are rather ugly and I would prefer not having to use them (e.g. extract all users via ldapsearch in a cron job and then put them into a list of allowed users, etc...). Oh, yes, I can see the members of this group just fine using ldapsearch. And I can see individual user's group memberships just fine, also using ldapsearch. I have put sshd on that server into debug mode, but the logs don't reveal anything useful. Any pointers would be highly appreciated.
It appears to me that your settings have a typo in them. I believe that pam_groupdb should instead be pam_groupdn.
from the manual:
...
pam_groupdn Specifies the distinguished name of a group to which a user must belong for logon authorization to succeed.
pam_member_attribute Specifies the attribute to use when testing a user’s membership of a group specified in the pam_groupdn option.
...