Online Expert Day - HPE Data Storage - Live Now
April 24/25 - Online Expert Day - HPE Data Storage - Live Now
Read more
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

ldap-ux, pam_authz, and nested groups

SOLVED
Go to solution
feeble
Valued Contributor

ldap-ux, pam_authz, and nested groups

Just started testing HP Direcotry Server with LDAP-UX Integratin on my HPUX hosts. I have created a group for each host that will use ldap for authentication. I was then adding users per host group. I was also adding groups to the host group. For instance I may have a server called xyz. I then add a group to that group called dbas. The users in the dba group are not able to authenticate to the host even though they are in the host group. Pam_authz entry is as follows.

 

allow:unix_local_user
allow:ldap_group:cn=xyz,ou=Servers,dc=blah,dc=com
deny:ldap_group:cn=Users,ou=Groups,dc=blah,dc=com

Is pam_authz not able to work woth nested groups in ldap?

3 REPLIES
Steven E. Protter
Exalted Contributor

Re: ldap-ux, pam_authz, and nested groups

Shalom,

What is the command being used and the error message.

Please post the basic diagnostics below:
uname -a
swlist -l bundle | egrep -i "QPK|OE"
swlist -l product | grep -i ldap

SEP

 

Edited to correct a typo. This feature I LIKE! :smileyhappy:

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
feeble
Valued Contributor
Solution

Re: ldap-ux, pam_authz, and nested groups

Hey SEP. I am just trying to login via ssh. It looks like pam_authz doesn't like nested groups. The error messages I will see are "Failed none for invalid user" and " error: PAM: No account present for user for illegal user". Like I said, if I add my self to the group directly (unnested) I can login fine. I only have issues if I am in a nested group. I am starting to beleive it is a limitation of the module. My QPK's are march 2011 and the ldap-ux int. is 5.01.

 

Steven E. Protter
Exalted Contributor

Re: ldap-ux, pam_authz, and nested groups

Shalom again,

Well you have self diagnosed. I agree with your conclusion.

Perhaps go for a less complex solution.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com