Hello all
We have a lot of Linux Ubuntu machines running.
We use LDAP to authenticate and restrict users to certain hosts.
This works fine on Ubuntu, Now we want to make FreeBSD also use the LDAP for authentication.
This works fine, except that every user can login, even if the user is not authorized to log in.
This is the ldap for user test, the only server he may login is server01 see the host
Our FreeBSD server is storage01, but the user test can also login to this server!
In the config file of nslcd.conf we have the following
This works for the Ubuntu servers, but our FreeBSD servers do not honor this.
This is my /etc/pam.d/sshd file,
We have a lot of Linux Ubuntu machines running.
We use LDAP to authenticate and restrict users to certain hosts.
This works fine on Ubuntu, Now we want to make FreeBSD also use the LDAP for authentication.
This works fine, except that every user can login, even if the user is not authorized to log in.
This is the ldap for user test, the only server he may login is server01 see the host
Our FreeBSD server is storage01, but the user test can also login to this server!
Code:
dn: uid=test,ou=account,dc=mydomain,dc=com
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: authorizedServiceObject
objectClass: sambaSamAccount
uid: test
cn: Test User
loginShell: /bin/bash
uidNumber: 2323
gidNumber: 50
homeDirectory: /home/staff/test
AUTHORIZEDSERVICE: sshd
AUTHORIZEDSERVICE: su
AUTHORIZEDSERVICE: sudo
AUTHORIZEDSERVICE: samba
SAMBAACCTFLAGS: [UX]
host: server01
structuralObjectClass: account
entryUUID: 111111111-1141-1135-1111-11111111111111
creatorsName: cn=admin,dc=mydomain,dc=com
createTimestamp: 20160128141004Z
entryCSN: 20160128141004.520714Z#000000#000#000000
modifiersName: cn=admin,dc=mydomain,dc=com
modifyTimestamp: 20160128141004Z
In the config file of nslcd.conf we have the following
Code:
pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*))(authorizedService=$service))
This works for the Ubuntu servers, but our FreeBSD servers do not honor this.
This is my /etc/pam.d/sshd file,
Code:
#
# $FreeBSD: releng/10.2/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required /usr/local/lib/pam_mkhomedir.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
Last edited by a moderator: