I've got ldap authentication working on my Ubuntu 8.10 test server.
Unfortunately I'm having trouble getting per-host restrictions to
work. I've built host entries that also contain "member" attributes.
These tests seem to be working properly.
If I log in using a username whose dn is included in the "member"
attributes of the host, authentication is silently allowed. If,
however, I attempt to log in as a valid LDAP user whose DN is /not/
listed among the "member" attributes, this is what happens:
$ ssh testuser@test02
testuser@test02's password:
You must be a member of cn=test02,ou=hosts,dc=clockwork,dc=net to login.
Last login: Tue Jan 6 14:02:14 2009 from 192.168.22.198
testuser@test02:~$
So it appears to be properly detecting that the user should not be
allowed access, yet authentication continues and access is granted.
What am I missing?
-Ben
Here's the relevant stanza from /etc/ldap.conf:
# Group to enforce membership of
pam_groupdn cn=test02,ou=hosts,dc=clockwork,dc=net
# Group member attribute
pam_member_attribute member
After resolving all the various @include statements, pam.d/sshd (just
the "auth" sections) looks like this:
auth required pam_env.so
auth required pam_env.so envfile=/etc/default/locale
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
