Apache Auth/pam_check_host_attr?

Hi All,

I've been using FDS for quite a while now, and I'd just like
to say I
love it great job!  I'm posting this question because I've
been banging
my head for awhile about it.

I'm using FDS as the central Auth server in a pretty much
all RH/FC
environment, and currently use pam_check_host_attr to
control which
users are allowed to login to which servers.   All was
working great
until I upgraded our internal WWW server from RHEL3 to FC6. 
 The WWW
server is/was using mod_authz_ldap apache module to control
what groups
were allowed to login to certain sections of the website,
after the
upgrade to FC6, group restrictions stopped working. 
Basically, apache
+mod_authz_ldap started denying users that didn't have the
WWW server in
the hosts attribute.

My goal is to allow/dis-allow SSH/telnet etc etc using
pam_check_host_attr, but still allow them to login to the
http areas of
the server using ldap groups.

Here's my authz_ldap conf

<Directory /var/TEMP/>
      AuthType                  Basic
      AuthName                  "Temporary Folder to
Disseminate files"

      AuthzLDAPAuthoritative    On
      AuthzLDAPMethod           ldap
      AuthzLDAPProtocolversion  3
      #AuthzLDAPLogLevel         debug
      AuthzLDAPServer           server.domain.com

      AuthzLDAPUserBase        
ou=People,dc=corp,dc=domain,dc=com
      AuthzLDAPUserKey          uid

      AuthzLDAPGroupBase       
ou=Groups,dc=corp,dc=domain,dc=com
      AuthzLDAPGroupkey         cn
      AuthzLDAPMemberKey        uniquemember
      AuthzLDAPSetGroupAuth     ldapdn

      Require group qausers dev ops psg threat se

   </Directory>

Like I said this used to work the way I wanted with RHEL3
and an older
version of mod_authz_ldap, can anyone point the way for me? 
Now with
FC6 and the authz_ldap that comes with it, I get the error
in the
httpd_error.log:

[error] [client 10.30.0.200] PAM: user 'test'  - invalid
account:
Permission denied

Now, it only works when I add the FQDN for the WWW server to
the users
hosts attribute.  But then the user can SSH to the server
also (which I
don't want).


Also asking a second question, can you use hostobject or
account with
groups in order to restrict logins using
pam_check_host_attr?


I thank you in advance for any pointers, suggestions, or
kicks to the
head that will help me resolve my problem.

-- 
Brian Kosick

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

Hi,
	I'm currently playing with Fedora DS - and I really like it
.

problem: I'm trying to use PAM pass through plugin ->
pam_krb5 -> Active Directory/Kerberos

I'm able t get this working fine, with pamIDMapMethod set to
RDN, but not set to ENTRY with apropriate pamIDAttr set.

With disabled PAM PT plugin, I'm able to do simple bind to
given object.

With enabled PAM PT plugin, set to RDN I'm able to do bind
with password stored in Kerberos, and with allowed
pamFallback also with password stored in Fedora DS.

And finally with PAM PT plugin enabled and set to ENTRY and
attribute specified in pamIDAttr - I'm unable to do bind
with Kerberos password, only with simple bind pass. stored
in Fedora DS if pamFallback is enabled.

errors log with debuglevel set for plugins debugging:

[04/Jan/2007:11:13:40 +0100] pam_passthru-plugin - =>
pam_passthru_bindpreop
[04/Jan/2007:11:13:40 +0100] - allow_operation: component
identity is NULL
[04/Jan/2007:11:13:40 +0100] pam_passthru-plugin - Could not
find BIND dn cn=xxx,ou=users,dc=xxx,dc=com (error 32 - No
such object)
[04/Jan/2007:11:13:40 +0100] pam_passthru-plugin - Bind DN
[cn=xxx,ou=users,dc=xxx,dc=com] is invalid or not found
[04/Jan/2007:11:13:40 +0100] pam_passthru-plugin - <=
handled (error 32 - No such object)

The message looks strange to me, because bind DN
cn=xxx,ou=users,dc=xxx,dc=com exists and I'm able to do bind
to it with password stored in Fedora DS.
So please if you see where I'm wrong or have any ideas,
suggestion please help, if I won't be able to solve this,
it'll unfortunatey prevent me from deploying Fedora DS :(.

thanks,

.stepan

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

Stipl, Stepan wrote:
> Hi,
> 	I'm currently playing with Fedora DS - and I really
like it .
>
> problem: I'm trying to use PAM pass through plugin
-> pam_krb5 -> Active Directory/Kerberos
>
> I'm able t get this working fine, with pamIDMapMethod
set to RDN, but not set to ENTRY with apropriate pamIDAttr
set.
>
> With disabled PAM PT plugin, I'm able to do simple bind
to given object.
>
> With enabled PAM PT plugin, set to RDN I'm able to do
bind with password stored in Kerberos, and with allowed
pamFallback also with password stored in Fedora DS.
>
> And finally with PAM PT plugin enabled and set to ENTRY
and attribute specified in pamIDAttr - I'm unable to do bind
with Kerberos password, only with simple bind pass. stored
in Fedora DS if pamFallback is enabled.
>
> errors log with debuglevel set for plugins debugging:
>
> [04/Jan/2007:11:13:40 +0100] pam_passthru-plugin -
=> pam_passthru_bindpreop
> [04/Jan/2007:11:13:40 +0100] - allow_operation:
component identity is NULL
> [04/Jan/2007:11:13:40 +0100] pam_passthru-plugin -
Could not find BIND dn cn=xxx,ou=users,dc=xxx,dc=com (error
32 - No such object)
> [04/Jan/2007:11:13:40 +0100] pam_passthru-plugin - Bind
DN [cn=xxx,ou=users,dc=xxx,dc=com] is invalid or not found
> [04/Jan/2007:11:13:40 +0100] pam_passthru-plugin -
<= handled (error 32 - No such object)
>
> The message looks strange to me, because bind DN
cn=xxx,ou=users,dc=xxx,dc=com exists and I'm able to do bind
to it with password stored in Fedora DS.
> So please if you see where I'm wrong or have any ideas,
suggestion please help, if I won't be able to solve this,
it'll unfortunatey prevent me from deploying Fedora DS :(.
>   
What version of Fedora DS are you using?  1.0.4 should work
- earlier 
versions had problems with the ENTRY method.  Can you post
your pam 
passthru plugin configuration entry, and an example of your
user entry, 
being careful to obscure sensitive information?
> thanks,
>
> .stepan
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>   
--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

On Wed, 2007-01-03 at 17:03 -0700, Brian Kosick wrote:
> Hi All,
> 
> I've been using FDS for quite a while now, and I'd just
like to say I
> love it great job!  I'm posting this question because
I've been banging
> my head for awhile about it.
> 
> I'm using FDS as the central Auth server in a pretty
much all RH/FC
> environment, and currently use pam_check_host_attr to
control which
> users are allowed to login to which servers.   All was
working great
> until I upgraded our internal WWW server from RHEL3 to
FC6.   The WWW
> server is/was using mod_authz_ldap apache module to
control what groups
> were allowed to login to certain sections of the
website, after the
> upgrade to FC6, group restrictions stopped working. 
Basically, apache
> +mod_authz_ldap started denying users that didn't have
the WWW server in
> the hosts attribute.
> 
> My goal is to allow/dis-allow SSH/telnet etc etc using
> pam_check_host_attr, but still allow them to login to
the http areas of
> the server using ldap groups.
> 
> Here's my authz_ldap conf
> 
> <Directory /var/TEMP/>
>       AuthType                  Basic
>       AuthName                  "Temporary Folder
to Disseminate files"
> 
>       AuthzLDAPAuthoritative    On
>       AuthzLDAPMethod           ldap
>       AuthzLDAPProtocolversion  3
>       #AuthzLDAPLogLevel         debug
>       AuthzLDAPServer           server.domain.com
> 
>       AuthzLDAPUserBase        
ou=People,dc=corp,dc=domain,dc=com
>       AuthzLDAPUserKey          uid
> 
>       AuthzLDAPGroupBase       
ou=Groups,dc=corp,dc=domain,dc=com
>       AuthzLDAPGroupkey         cn
>       AuthzLDAPMemberKey        uniquemember
>       AuthzLDAPSetGroupAuth     ldapdn
> 
>       Require group qausers dev ops psg threat se
> 
>    </Directory>
> 
> Like I said this used to work the way I wanted with
RHEL3 and an older
> version of mod_authz_ldap, can anyone point the way for
me?  Now with
> FC6 and the authz_ldap that comes with it, I get the
error in the
> httpd_error.log:
> 
> [error] [client 10.30.0.200] PAM: user 'test'  -
invalid account:
> Permission denied
> 
> Now, it only works when I add the FQDN for the WWW
server to the users
> hosts attribute.  But then the user can SSH to the
server also (which I
> don't want).
> 
> 
> Also asking a second question, can you use hostobject
or account with
> groups in order to restrict logins using
pam_check_host_attr?
> 
> 
> I thank you in advance for any pointers, suggestions,
or kicks to the
> head that will help me resolve my problem.
> 
Dang I smoke some good crack.   I figured it out.   I had
accidentally?
installed the mod_auth_pam rpm, I rpm -e 'd it, and
restarted httpd, and
it works like I want it to.

It looks like the mod_auth_pam rpm forces the ldap queries
to go through
system pam which was enforcing my pam_check_host_attr
setting.

However I would still like to know if I can use hostObject
and hosts
with a Group and whether or not that will satisfy the
pam_check_host_attr requirement.

Thanks,

-- 
Brian Kosick
bkosickmxlogic.com
720-895-5449

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

On Thu, 2007-01-04 at 13:05 -0700, Brian Kosick wrote:
> > 
> Dang I smoke some good crack.   I figured it out.   I
had accidentally?
> installed the mod_auth_pam rpm, I rpm -e 'd it, and
restarted httpd, and
> it works like I want it to.
> 
> It looks like the mod_auth_pam rpm forces the ldap
queries to go through
> system pam which was enforcing my pam_check_host_attr
setting.

mod_auth_pam should follow the directives in /etc/pam.d/http
which
doesn't necessarily have to include the same things as other
services.

-- 
  Les Mikesell
   lesmikesellgmail.com


--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

On Thu, 2007-01-04 at 14:20 -0600, Les Mikesell wrote:
> On Thu, 2007-01-04 at 13:05 -0700, Brian Kosick wrote:
> > > 
> > Dang I smoke some good crack.   I figured it out. 
 I had accidentally?
> > installed the mod_auth_pam rpm, I rpm -e 'd it,
and restarted httpd, and
> > it works like I want it to.
> > 
> > It looks like the mod_auth_pam rpm forces the ldap
queries to go through
> > system pam which was enforcing my
pam_check_host_attr setting.
> 
> mod_auth_pam should follow the directives in
/etc/pam.d/http which
> doesn't necessarily have to include the same things as
other services.
> 

Thanks, for the tip, I'll look into it, however, since I
don't need/use
it for anything at the moment, it's going to go on my back
burner....

-- 
Brian Kosick
bkosickmxlogic.com
720-895-5449

--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

On Thu, 2007-01-04 at 13:38 -0700, Brian Kosick wrote:

> > > Dang I smoke some good crack.   I figured it
out.   I had accidentally?
> > > installed the mod_auth_pam rpm, I rpm -e 'd
it, and restarted httpd, and
> > > it works like I want it to.
> > > 
> > > It looks like the mod_auth_pam rpm forces the
ldap queries to go through
> > > system pam which was enforcing my
pam_check_host_attr setting.
> > 
> > mod_auth_pam should follow the directives in
/etc/pam.d/http which
> > doesn't necessarily have to include the same
things as other services.
> > 
> 
> Thanks, for the tip, I'll look into it, however, since
I don't need/use
> it for anything at the moment, it's going to go on my
back burner....

The place it is great is where you want to provide web
access to
a set of people who already have passwords elsewhere like a
windows domain plus some local users, and ldap should work
the same
way.  You can skip the need for any account info with a line
like:
account    required     pam_permit.so
if all you want is a password check.

-- 
  Les Mikesell
   lesmikesellgmail.com


--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users