| |
| |
| |
|
Page: 1 2 3
Comments:
<0> o/
<1> i'm trying to enable access control on my box ..in /etc/security/access.netgroup.conf I have: + : @admin_users@@my_systems : ALL \n + : root : LOCAL \n - : ALL : ALL ..this works for the first and last rule but root seems to still be able to login from any machine outside the console ..anyone know why? could this be because we have a NIS root user (we're using LDAP+NIS setup)?
<1> root is not an admin_user
<1> hehe i made sure of that
<1> i mean root is not in that group so...
<2> nsswitch.conf.. local root p***wd hash, right?
<1> charlieS, yes that exists
<2> I don't know what looks at access.netgroup.conf.. is that a linux thing?
<2> apparently so.. interesting.
<1> charlieS, i'm using a setup similar to : http://directory.fedora.redhat.com/wiki/Howto:Netgroups ..it's a PAM thing see /etc/security/access.conf
<1> but i'm not using LDAP as the backend ..NIS is the backend
<2> so that ***umes you have ssh configured with UsePam :)
<1> everything works nicely except for that middle rule
<1> which isn't all that bad since we can just fix it up in the sshd_config
<2> why not just use the nisNetgroupTriple object in LDAP and revert to the ole +@ in the p***wd file? (just curious, I don't have an answer for you :))
<1> yes ssh is configured with usepam ..so are you saying since i've enabled remote root SSH login that it won't obey that rule?
<1> charlieS, i don't have access to the LDAP server except for authentication
<2> oh, hehe.
<1> bindpw
<1> for a read only account
<2> uhm.. never allow root to login via keyboard interactive..
<2> but if ssh is using pam, then it should obey that file (according to pam.conf in your mod_access line).
<2> er, pam_access
<1> charlieS, yes but allowing root to login through keyboard interactive is so convenient :>
<1> anyways we have almost all the boxes to accept connections from the UNI lan only
<1> except for our gateway etc ..
<1> and by gateway i man webserver
<1> anyone know if a nis group can be used to build a netgroup in the netgroup file ? e.g. without building a conversion script?
<3> Hello, have a question about slapd.conf access control ... I'm looking for a rule that will give write permissions to a DN as long as the binding DN belongs to a special group.
<3> Hello, have a question about slapd.conf access control ... I'm looking for a rule that will give write permissions to a DN as long as the binding DN belongs to a special group. Does anyone have any ideas?
<1> what is DN?
<3> At first I thought there might be a way to make use of dnattr, but that is only supported for an attribute to which the access applies...I think.
<1> you have to use netgroups
<3> for example, I would like people listed in the "memberUid" attribute of the "cn=admin,ou=groups,dc=foo,dc=bar" DN to be allowed to modify all users in "ou=people,dc=foo,dc=bar".
<3> t35t0r: netgroups? ... googling. :)
<3> Hmm, I don't think I like the idea of netgroups at all. Seems like a replication of configuration information that I'm trying to avoid in the first place by using the efficiency/centralization of LDAP.
<3> Seems like I should be allowed to enter a specific attribute of a specific DN in the <who> section of the access list...
<3> Anyone with other suggestions?
<3> Oh, hmmm. Tt looks like I may have missed an ACL option: [group[/<objectcl***>[/<attrname>][.<basic-style>]]=<regex>]
<2> at[p]: you certainly can do that with groups. The Sun webpage has examples of exactly that for ACIs.. but I have no idea about openldap.
<3> charlieS: yeah, it looks like I missed one of the slapd.conf ACL options, which I just posted. I think I may have the problem solved...just need to test. Thanks.
<2> :)
<4> er.... I issued an ldapp***wd command on a user this morning...
<4> ldapp***wd -x -W -D cn=admin,dc=kuiki,dc=net uid=ovaltine8,ou=People,dc=kuiki,dc=net
<4> and it reset their p***word... now it's not doing a thing
<4> it says it resets the p***word succesfully, but the directory reflects the one from this morning
<4> any ideas on what has happened
<4> restart the slapd, and it works now
<4> that was not happy
<2> weird.
<2> so I copied in crypt hashes from NIS, as {crypt}INinu***a*^721 ... and users can't auth.. unless I manually edit the hash and paste in a different one, or set the p***wd with the gui (SunONE). Ideas?
<5> that doesn't look like a valid crypt hash
<5> it should only be 13 characters
<2> I made it up on the fly as I typed :)
<5> ok, I'll make up an answer on the fly then.
<2> it matters not..
<2> they are valid hashes..
<2> and, e.g. using ldapvi, there's nothing like a space at the end, or anything weird that I could see.
<6> I'm looking for a general cookbook that covers setting up ACIs to allow or prevent access based on groups.
<6> Google is failing me. :)
<7> _ranger_: around?
<8> hello to you all
<8> are ldap attributes case sensitive? for example loginshell == loginShell?
<9> Airwulf: depends on the schema definition and how your rdn/dn is made up
<5> attribute names are case insensitive
<5> attribute values depend on their schema def
<8> ok then loginshell:/bin/bash or loginShell:/bin/bash both must work.
<5> yes
<9> hyc: what hyc said ;-)
<9> is what I meant really!
<8> ok thx for helpin
<10> katerX, yes
<10> Plaidrab, there may or may not exist such a thing, depending on your definition of "group"
<11> Hi all; I have a problen with ppolicy. ldapsearch -w falsecredentials locks a user. After that ldapsearch wont work anymore as expected. However I CAN login with this username if it is locked. I use a proxy account in /etc/ldap.conf. Objectcl***es top,account and shadowaccount
<10> use pam_ldap to authenticate users, not nss_ldap (proxy dn)->pam_unix
<11> _ranger_, pam_check_host attr=yes. Do I miss something else?
<10> ????????????
<10> tiswat, ppolicy works on the dn in question binding to the directory server
<10> if you rely on proxy dn's for for authentication to work, then the user in question DOES NOT BIND
<10> remove 'ldap' from shadow line of /etc/nsswitch.conf
<10> if authentication breaks, that means you were not using pam_ldap to authenticate, thus the user was not binding
<10> thus ppolicy can not work
<10> so, then configure pam correctly to authenticate users via pam_ldap, and it should work
<11> That makes sense, I can see that the dn received on the server is cn=proxy. The host attr works, so I guess I have to digg deeper in my pam.d config.
<10> paste your auth lines at a paste bin
<11> Since I am not a real pamguru, do you know a url with a good example to start with?
<11> I cant paste (internet pc not connected to network)
<11> (internet pc at-the-office-connected at a pc at home actualy)
<7> _ranger_: You maintain the rhel4 rpm packages for ldap?
<11> Thanks anyway ranger, your info is helpfull enough to encourage my struggle.
<12> hi
<7> _ranger_: I used your packages, modified some schema files and upgraded to 2.3.31. Your new rpms overwrote my modified schema files. Would %config(noreplace) in you spec file a good idea?
<5> you shouldn't modify any bundled schema files
<5> I note that the OpenLDAP "make install" rule simply renames the existing schema directory and creates a new one.
<10> katerX, it is bad practice to have files outside of /etc/ marked as %(config)
<10> I would suggest that if you need to have any schema files changed, that you move them to /etc/openldap2.3/schema
<10> and change your include line
<10> I will be moving the "extra" schema files out of the openldap package (into something like 'openldap-schemas-extra'
<10> katerX, BTW, which schema files, and why did you need to change them ? old samba install ?
<7> _ranger_: I modified the samba.schema file, because I use the apple.schema file too. And I must modify the evolutionperson.schema because we have our own schema file which was already in the structural oc chain to inetOrgPerson. and only one structural oc is allow....
<12> why does *every* groupware server come up with its own schema to store persons ?
<7> _ranger_: Ok, the include the sound very good.
<7> include change...
<11> _ranger_; I removed ldap from nsswitch, but I can still login. According to cn=monitor, the connection stil runs via the proxy account??
<9> pinchartl: I've noticed that too
<9> what's wrong with RFC'd schemas!
<11> The host_attr check from pam works fine. I am locked out if my host is not listed.
<12> ghenry: they lack needed attributes. we miss a schema able to map a vCard to an LDAP object.
<12> speaking of that... we could create a vcard schema :-)
<12> and propose it as an RFC
<10> tiswat_, host_attr check is from account lines in pam ... not auth
<9> pinchartl: Sweet
<9> that would be a good idea
<9> pinchartl: http://www.ietf.org/rfc/rfc2739.txt
<12> nice, but that's for vCalendar (which has been superseeded by iCalendar)
<12> a step in the right direction, now we need to have a vcard schema
<9> good start, I suppose
<9> "calendar attributes for vcard and ldap rfc 2739" is the title. was confused.
<11> _ranger_ : My pam : auth req. pam_env auth sufficient pam_unix likeauth nullok; auth _sufficient pam_ldap use_first_p***; auh rew. pam_deny
<11> This is not OK?
<10> should be ok
<10> is nscd running ?
<11> in session the last line is session optional pam_ldap. I think the auth and session directives are pretty standard rhel4.
<11> nscd is running. Maybe I should stop nscd to aviod caching?
<10> at least run 'nscd -i shadow'
<11> Hangon....
<10> since you may still have been authenticating via pam_unix
<11> nscd was indeed the beast again...
<11> Now I am locked out.
<11> Does this mean for 100% that my pam conf is to blame?
<11> (If you say yes I wont bother you anymore ;P)
<10> tiswat_, no, it means your 'ldap' in 'shadow' line in conjunction with your proxy user having read access to userP***word had you in "NIS-like" mode
<11> Mmm, I feel a bit confused......
<10> tiswat_, IMHO, *never* use a privileged user as a proxy user
<10> always test thoroughly without ldap in shadow line to be sure you are using pam_ldap to authenticate, and not nss_ldap->pam_unix
<11> How (or where) do i disable this? /etc/ldap.conf? not using a binddn? some other feature? The proxy user is only privileged on this acl-less system. On other systems it only have read access to people,group and some other minors. But this may also be to much.
<13> anyone can guide me to configure suse 10.2 ldap server
<13> if anyone can guide me just private me
<14> what id the difference between sub and one for the scope attribute?
<14> s/id/is
<13> invalid ceredntial (49)
<13> wht i should do about this error
<10> redhatone, I guess you have binddn and bindpw set (or rootbinddn, and an /etc/ldap.secret file) with either wrong dn, or wrong p***word
<13> i will check it
<13> put i do slapp***wd command and paste the result to /etc/openldap/slap.conf
<13> by rootpw encrypted p***word paste here
<13> till now is't right
<13> i have no /etc/ldap.secret file in my system
<13> can u send me that file
<13> can u give me ur e-mail so i can send u my all configuration file that i do and u take alook to it and tell me what i have to do
<13> ok
Return to
#ldap
or
Go to some related
logs:
#debian
gentoo GL/glxproto.h
#lgp
ati livna drivers suck
#osdev
ubuntu illegal instruction bash
extended desktop ati ubuntu
#css
apt-get source -x flag
what is gam_server
|
|