HPE Community
Operating System - HP-UX
1833760 Members
2131 Online
110063 Solutions
New Discussion

Re: Using ldap_filter in ldapux

 
PatRoy
Regular Advisor

‎07-10-2008 09:19 AM

‎07-10-2008 09:19 AM

Using ldap_filter in ldapux

I'm trying to use the /etc/opt/ldapux/pam_authz.policy to prevent certain users from loging on with their LDAP password to the system.

All I'm trying right now it to DENY access to user "proy". I only want him to login using his unix password. So I've added the following to the pam_authz...

deny:ldap_filter:(cn=proy)
allow:other

It's not working and I don't know why. The user is still able to login using his ldap password. This is what the log tells me:

Jul 10 13:16:35 pscdweb1 syslog: pid:2568 - ldap_common.c:2870:_hp_ldap_find_first():
Jul 10 13:16:35 pscdweb1 syslog: pid:2568 - ldap_common.c:248:_hp_ldap_make_filter(): filter_in:(objectclass=posixaccount), attr:uid, val:proy
Jul 10 13:16:35 pscdweb1 syslog: pid:2568 - ldap_common.c:282:_hp_ldap_make_filter(): filter_out 2:(&(uid=proy)(objectclass=posixaccount))
Jul 10 13:16:35 pscdweb1 syslog: pid:2568 - ldap_common.c:2917:_hp_ldap_find_first(): ldap_search_ext(base:o=psc,scope:2,filter:(&(uid=proy)(objectclass=posixaccount))):Success - msg:2
Jul 10 13:16:35 pscdweb1 syslog: pid:2568 - ldap_common.c:2984:_hp_ldap_find_first(): Found 1 entries, 0 referrals. Total messages:2
Jul 10 13:16:35 pscdweb1 syslog: pid:2568 - ldap_common.c:3544:uid_in_disable_range(): hpld_max_disable_uid_ranges: 1
Jul 10 13:16:35 pscdweb1 syslog: pid:2568 - ldap_common.c:3546:uid_in_disable_range(): lower: 0, upper: 199
Jul 10 13:16:35 pscdweb1 syslog: pid:2568 - ldap_common.c:1899:_hp_ldap_build_cred(): built DN credential for uid:500 dn:cn=PROY,ou=ITSD,ou=CMB,ou=HQ,o=PSC

What am I doing wrong?? Thanks.
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎07-10-2008 09:39 AM

‎07-10-2008 09:39 AM

Re: Using ldap_filter in ldapux

Shalom,

How about just setting up a user in /etc/passwd with /bin/false or /bin/nologin as the shell.

Just because ldap is a means of authentication does not mean its the best tool to block a user.

I bet to permit root login /etc/nsswitch.conf has files first on authentication anyway.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
PatRoy
Regular Advisor

‎07-10-2008 10:15 AM

‎07-10-2008 10:15 AM

Re: Using ldap_filter in ldapux

Hi. Thanks for your reply.

However, the user still needs to be able to login using his unix password. I just want to prevent him from using his ldap password.. so, I want to do an ldap filter to deny his login from ldap.

Can't that be done?
0 Kudos
Reply
emily fan
New Member

‎07-14-2008 10:44 AM

‎07-14-2008 10:44 AM

Re: Using ldap_filter in ldapux

Hi,

Do you still have the problem about denying duplicated user from login using ldap password?

If so, please let me know, so I can give you some instructions to collect some data that I need to diagnose the problem.

With the minimum information you provided, I did some testing. I added the following two lines in my pam_authz.policy file:

deny:ldap_filter:(cn=proy)
allow:other

And I added the pam_authz library in /etc/pam.conf like this:


login account required libpam_hpsec.so.1
login account required libpam_authz.so.1 debug
login account sufficient libpam_unix.so.1 debug
login account required libpam_ldap.so.1 debug

Then I cannot login as proy at all no matter I use password in /etc/passwd file or the ldap password.

Emily.

0 Kudos
Reply
PatRoy
Regular Advisor

‎07-16-2008 11:01 AM

‎07-16-2008 11:01 AM

Re: Using ldap_filter in ldapux

Hi Emily.

Yep, still have the same problem. I can't seem to deny ldap access to a particular ldap user...

My /etc/pam.conf looks like this :

login auth required libpam_hpsec.so.1
login auth sufficient libpam_ldap.so.1
login auth required libpam_unix.so.1 try_first_pass
...
login account required libpam_hpsec.so.1
login account sufficient libpam_ldap.so.1
login account required libpam_unix.so.1

It was taken from the original pam.ldap.trusted because I run a truested system. Any suggestions? Thanks again.

Pat
0 Kudos
Reply
emily fan
New Member

‎07-21-2008 01:48 PM

‎07-21-2008 01:48 PM

Re: Using ldap_filter in ldapux

Hello,

There is at least one problem in your /etc/pam.conf file: you didn't specify pam_authz in account section.

As of today, LDAP-UX (pam_ldap and/or pam_authz) doesn't have a good solution to distinguish between a local user and an ldap user if they share the same user name or user id number.

We are investigating a solution to better handle this situation in our next release. The timeframe for our next release is not finalized yet.

Emily.


0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.