Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pam_authz_search and wildcard domain names #8

Closed
dhartford opened this issue Jun 26, 2015 · 2 comments
Closed

pam_authz_search and wildcard domain names #8

dhartford opened this issue Jun 26, 2015 · 2 comments

Comments

@dhartford
Copy link

@dhartford dhartford commented Jun 26, 2015

I'm having some problems replicating prior pam_check_host_attr=yes approaches where wildcards were used when going from Centos6 to Centos7.

The quick challenge is the following does not work:

pam_authz_search (&(objectClass=posixAccount)(uid=$username)(host=*.$dn))

But ldapsearch -x "(&(objectClass=posixAccount)(uid=myname)(host=_.group.company.com))" does work, where a host attribute value of '_.group.company.com' should allow access to all hosts with that domain name.

Explicitly putting pam_authz_search (&(objectClass=posixAccount)(uid=$username)(host=*.group.company.com)) ALSO works (when on an appropriate box), something about $dn.

confirmed 'hostname -d' on the commandline returns group.company.com, but unsure why the configuration above doesn't work.

Serverfault post: http://serverfault.com/questions/701867/centos7-pam-authz-search-for-group-company-com

nss-pam-ldapd-0.8.13-8.el7.x86_64 version with centos7.

@dhartford

This comment has been minimized.

Copy link
Author

@dhartford dhartford commented Jun 26, 2015

It appears maybe $dn is for ldap distinguished name, not domain name. Is there an acceptable variable for domain name?

@arthurdejong

This comment has been minimized.

Copy link
Owner

@arthurdejong arthurdejong commented Jun 26, 2015

$dn is indeed the LDAP distinguished name of the user. There is currently nothing like $domain in nslcd.conf although it shouldn't be too difficult to implement.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.