[plug] PAM/LDAP

[Patrick Coleman]

Hi,
I've been setting up LDAP recently across some servers of mine. Both
are debian stable.

server one is a shell server, and users can login to it using SSH. It
has been configured to use a LDAP backend (on another server, 'server
three') and everything appears to be working great (after much tearing
of hair and gnashing of teeth on my part) - users can login, change
their passwords etc.

server two provides various services to support server one, such as
NFS home directories, but only admin users should have shell accounts
on it. I have configured it the same as server one, and it works, but
my problem is access control - I want to be able to limit SSH access
to a subset of users, specifically everyone in 'wheel'.

There are various options in /etc/pam_ldap.conf that look like they do
exactly what I want - pam_filter, pam_check_host_attr and pam_groupdn
- but none of these appears to do anything. I'm thinking that perhaps
it may be something to do with my /etc/pam.d config.

Has anyone done a similar sort of setup? I might also try the openldap
mailing lists, and I'll post here if I get any solutions.

Cheers,
Patrick

========================
/etc/pam.d/common-account
========================
account sufficient      pam_ldap.so
account required        pam_unix.so

========================
/etc/pam.d/common-auth
========================
auth    sufficient  pam_ldap.so
auth    required    pam_unix.so nullok_secure use_first_pass

========================
/etc/pam.d/common-password
========================
password        sufficient      pam_ldap.so
password        required        pam_unix.so nullok obscure min=4 max=8

========================
/etc/pam.d/common-session
========================
session required        pam_unix.so