ssh and ldap
I've got a set up with SunDS5.2 for authentication. Everything seems to be working so far except one thing: ssh.
I use the option "AllowGroups" to limit who can log in to certain servers. However, it isn't working for secondary groups, it only works for primary ones.
For example, I've got the following ldap user and groups:
~# id user1
uid=2000(user1) gid=200(pgroup)
~# groups user1
pgroup ops
If I configure ssh with "AllowGroups pgroup" it works. If however I configure it with "AllowGroups ops" it doesn't.
On the other hand, secondary groups for system users such as "root" do work.
Thanks.
[664 byte] By [
_serg_a] at [2007-11-26 14:32:04]
# 1
In case anyone if having the same problem, I reply to myself as I found a solution. The problem seemed to be on the Solaris NSS_LDAP library. I noticed that when doing "getent passwd" it only returned the local users although "getent passwd ldap-user" did return the right info from the LDAP server.
I've replaced nss_ldap by the padl library and it is working as expected now. Thanks.
Sergio.
# 4
I'm using the ssh version that comes with Solaris 10 (Sun_SSH_1.1, SSH protocols 1.5/2.0). I did try the blastwave version and with either of them I was getting the same error:
User theuser from X.X.X.X not allowed because none of user's groups are listed in AllowGroups
After the nss_ldap library change, both version, original and blastwave, do work. Another thing is that if I know do "getent passwd" I'm getting the full list of users made of local and ldap accounts.
Sergio.
