Re: [389-users] SSH AllowGroups and LDAP authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: [389-users] SSH AllowGroups and LDAP authentication
From: "Morris, Patrick" <patrick.morris@xxxxxx>
Date: Tue, 09 Nov 2010 09:50:00 -0800
Delivered-to: 389-users@xxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <COL116-W19CECEF0CF9490E43BF449D0300@xxxxxxx>
References: <COL116-W427977805C648E7041B462D04F0@xxxxxxx>, <4CD844C3.8010507@xxxxxx> <COL116-W19CECEF0CF9490E43BF449D0300@xxxxxxx>
Reply-to: "General discussion list for the 389 Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6

On 11/9/2010 5:36 AM, Allan Hougham wrote:

Hi Patrick,

What does "groups ahougham" show on that box? Is that user in an allowed group?

ahougham is a user in "Search" group

I need anothe parameter or any adicional setting? do you have any tutorial with this configuration and what parameters I need in PAM file?

I'm not sure multiple "AllowGroups" directives are allowed.

From "man sshd_config":

     AllowGroups
             This keyword can be followed by a list of group name patterns,
             separated by spaces.

The way you have things set up, my guess is that it will only allow access to the "Question" group, since that line appears last and will probably overwrite all of the earlier ones.

Thanks!

Allan

Date: Mon, 8 Nov 2010 10:43:15 -0800
From: patrick.morris@xxxxxx
To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: [389-users] SSH AllowGroups and LDAP authentication

On 11/8/2010 8:56 AM, Allan Hougham wrote:
I need help with this issue, I setting sshd_config with "AllowGroups" but I can´t authenticate with LDAP, the groups are settings up, this is my configuration:
Do you have any tutorial or guide for setting ssh authentication groups with LDAP?
This is the mistake, but the user ahougham is in "Search Group"

[root@ds03 log]# tail -f secure
Nov 6 04:09:33 ds03 sshd[7055]: User ahougham from 10.10.38.27 not allowed because none of user's groups are listed in AllowGroups

Assuming your system is set up to use LDAP groups (usually via PAM, so make sure SSH is configured to use PAM), you don't need to do anything special to use AllowGroups.

What does "groups ahougham" show on that box? Is that user in an allowed group?

-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

References:
- [389-users] SSH AllowGroups and LDAP authentication
  - From: Allan Hougham
- Re: [389-users] SSH AllowGroups and LDAP authentication
  - From: Morris, Patrick
- Re: [389-users] SSH AllowGroups and LDAP authentication
  - From: Allan Hougham

Prev by Date: Re: [389-users] duplicate existing ssl crenentials on another server ?
Next by Date: Re: [389-users] duplicate existing ssl crenentials on another server ?
Previous by thread: Re: [389-users] SSH AllowGroups and LDAP authentication
Next by thread: Re: [389-users] SSH AllowGroups and LDAP authentication
Index(es):
- Date
- Thread

[Fedora Directory Devel] [Fedora Announce] [Fedora Legacy Announce] [Home] [Fedora Tools] [Kernel] [Fedora Legacy] [Share Photos] [Fedora Desktop] [PAM] [Red Hat Watch] [Red Hat Development] [Red Hat 9 Bible] [Red Hat 9] [Big List of Linux Books] [Gimp] [Yosemite News]