I want to be able to authenticate users (via ssh) to specific groups of hosts based on the users' LDAP netgroup membership. The LDAP server is dsee7. The distro is OEL 6.5 with openldap as the client.
The only account we don't want to authenticate using LDAP is root.
sssd.conf looks like this:
[sssd]
config_file_version = 2
services = nss,pam,autofs
domains = default
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
[pam]
[domain/default]
auth_provider = ldap
ldap_id_use_start_tls = True
chpass_provider = ldap
cache_credentials = True
ldap_search_base = dc=e-durp,dc=com
id_provider = ldap
ldap_uri = ldaps://lvl1.lvs01.edurp.com/ ldaps://lvl1.lvs01.edurp.com/
ldap_tls_cacertdir = /etc/openldap/cacerts
The /etc/openldap/ldap.conf looks like this:
URI ldaps://ldap.edurp.com/ ldaps://ldap1.edurp.com ldaps://ldap2.edurp.com
BASE dc=edurp,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/ldap_ca.cert
TLS_REQCERT never
nsswitch.conf looks like this:
passwd: files compat
shadow: files compat
passwd_compat: sss
shadow_compat: sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: sss files
publickey: nisplus
automount: files ldap
aliases: files nisplus
And /etc/pam.d/system-auth reads:
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
So I tried adding a netgroup to /etc/security/access.conf like so:
#- : ALL : ALL
-:@eeederp: ALL
and restarted sssd just in case . . .
My user belongs to the netgroup eeederp and is still able to get in using his LDAP password.
Any clues would be appreciated.
Not an expert on pam but if you're using access.conf you need a reference to pam_access.so. perhaps: account required pam_access.so
Just keep a root shell open while you test. I've managed to lock out the root user with a bad pam edit.
I have Red Hat 6 authenticating against AD using Netgroups successfully. I am trying to get it authenticating against an old Sun LDAP server and am not having luck. I can see the netgroups, I can see the user with "getent netgroup {name of netgroup} and I can su to the user. However when I attempt to login it does not work.
What I can tell you from my AD authentication is taht your netgroup statement is the opposite of what you want. When you begin with a - it means DO NOT allow them to login. Try switching that to a + meaning DO allow the users in this netgroup to login.
Also use the getent command to check to see if you can see your users and netgroup proprely. getent passwd {username} getent netgroup {name of netgroup}
Remember getent also looks at your local files (as defined in nsswitch.conf) for this information so be sure the information is only available via LDAP.
Hope this helps,
Dan
if you are using SSSD as claimed above, then the nsswitch.conf entries should be as follows for netrgoups "compat glibc mode" to work
/etc/nsswitch.conf
and your /etc/password should have the following
not
to disable any user in that netgroup @eeederp to access the server. not sure why access.conf did not work. however this will work.