# [SOLVED] pam_groupdn not working

## ganiman

I have openldap authentication running on 30+ servers.  I am now trying to restrict who can log into which server based on groups in openldap.  I put a pam_groupdn entry in my ldap.conf.  If a user qis in the group, they can log in fine.  If a user is not in the group, they get:

```
You must be a memberUid of cn=myserever,ou=hosts,dc=domain,dc=com to login.

Last login: Sun Feb 15 11:12:16 2009 from xxx.xxx.xxx.xxx

ganiman@myserver ~ $
```

It gives the user a message saying they must be a member of the group to log in, but then it still allows the user to log in.  This is not the behavior I would expect to see, especially when it gives the message that you must be a member of the group to log in.  I'm thinking the problem lies somewhere in something in /etc/pam.d, but I cannot figure what it is.

In ldap.conf I have:

```
pam_groupdn cn=myserver,ou=hosts,dc=domain,dc=com
```

pam.d/system-auth looks like:

```
auth       required     pam_env.so

auth       sufficient   pam_unix.so try_first_pass likeauth nullok

auth       sufficient   pam_ldap.so use_first_pass

auth       required     pam_deny.so

account    sufficient   pam_ldap.so

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3

password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow

password   sufficient   pam_ldap.so use_authtok use_first_pass

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

session    optional     pam_ldap.so

session    required     pam_mkhomedir.so skel=/etc/skel/
```

----------

## pianosaurus

 *ganiman wrote:*   

> 
> 
> ```
> auth       required     pam_env.so
> 
> ...

 

If I understand PAM correctly (and I believe I do), this is how the above would work:

1: pam_env.so succeeds. It always does.

2: Try pam unix.so. Since it is 'sufficient', success in this stage means login is successful, regardless of later modules.

3: Try pam_ldap.so, since pam_unix.so failed. Both are sufficient, so pam_ldap.so can 'correct' pam_unix' failure. If it succeeds, the login succeeds (like step 2).

4: pam_deny.so fails. It always does.

Note that all modules are run regardless of their output (so users cannot tell which module failed). It is only what module outputs are used that changes. This explains the message you get.

pam_ldap.so prints a message because it failed, but since pam_unix.so already succeeded, its output isn't used.

So the question becomes: How do you want this to work, exactly? Do you want local login to be possible at all?

----------

## ganiman

 *Cuber wrote:*   

> So the question becomes: How do you want this to work, exactly? Do you want local login to be possible at all?

 

I want local login to work, just in case communication is lost with the ldap server for some reason.  The servers I maintain are spread all over the country, and physical access to machines is not a luxery I have, so I need to make sure there is some kind of back up way to log in.

----------

## pianosaurus

Hm. So you need to know HOW pam_ldap.so failed, then. Don't allow login if LDAP authentication failed, but allow local login if connection is lost? I don't know if that is possible in PAM. And if it is, it would also allow local login to anyone who can pull out the network cable.

----------

## ganiman

Well, I would always allow local login, even if the ldap server is reachable, so I'm not too worried about someone attempting a local login if they unplug the box.  At that point, whoever had physical access could pop in a live CD and get access to the box anyway... that type of security is another issue all together and isn't solvable by software.

So, how can I adjust the pam module settings to allow for both local login (pam_unix) and ldap login (pam_ldap)?  If I try to log in with an ldap account, pam_unix should fail, and pam_ldap should check group membership and then fail or not fail depending on the results of that search.  This should be possible, and not hard, I'm just not as good with pam modules as I wish I were.

----------

## ganiman

Still not having any luck with this.  I have tried various pam configurations with no success.  The best I can do is either lock everyone out of a host, or display the message stating you must belong to a group which still allows you to log in.

----------

## pianosaurus

I've been reading a bit about the LDAP module. Could you try this:

```
auth       required     pam_env.so

auth       required     pam_ldap.so try_first_pass ignore_authinfo_unavail

auth       sufficient   pam_unix.so use_first_pass likeauth nullok

auth       required     pam_deny.so
```

This is how it works (but test it out thoroughly):

If LDAP connection is successful, the users password is tested against both LDAP and local. Both must succeed for login to be successful.

If LDAP connection is not successful, it is ignored, and only local login is required.

----------

## ganiman

Thanks for the suggestion, but it did not work  :Sad: 

No one can log in with this set up.  I don't get any error message from pam_ldap.so when the user is not in the group, and if you are in the group you still cannot log in.  Logs only show: "error: PAM: Authentication failure for username"

----------

## pianosaurus

Hmm. That doesn't make any sense. Did anything else change from you first post? Also, I swapped the order of ldap and unix in my last post, and note the difference between try_first_pass and use_first_pass.

Maybe you could try with only ldap set to sufficient (no unix), just to see that ldap authentication still works.

----------

## ganiman

If I remove pam_unix.so and set pam_ldap.so to sufficient, I get the same behavior.  The ldap accounts work, but the still work even if they are not part of the group.  I still get the message "You must be a uniquemember of cn=myhost,ou=hosts,dc=mydomain,dc=com to login" even though it allows the user account to log in.

I would like to see the system-auth of someone who has this working, even from another distro would be helpful.

----------

## ganiman

I made a little more progress.  It seems that it is pam's account section that needs to be fixed, not the auth section.

The following is what I had, which gave the error message but still allowed non group members to log in:

```
account    sufficient   pam_ldap.so

account    sufficient   pam_unix.so
```

The follow is what I've changed it to, removing the pam_unix line, which allows group members and denies non group members:

```
account    required   pam_ldap.so
```

Now, in the second example, I can no longer log in with local accounts either.  It seems I've made it work a little too good, and now I need to find the middle ground.

----------

## pianosaurus

Aha. The account section specifies which accounts are allowed on the system, but does no authentication. Try this in the account section:

```
account       required     pam_ldap.so ignore_authinfo_unavail

account       required     pam_unix.so
```

If all account exist locally with the correct password, you don't even need the pam_ldap in the auth. The ldap will only be used to check login permission, and only local password checking will be performed.

Edit: Changed one sufficient to required.

----------

## ganiman

```
account       required     pam_ldap.so ignore_authinfo_unavail

account       required     pam_unix.so
```

Those settings allow me to log in with an ldap account in the proper group just fine.  However, when I try a local account I get:

 *Quote:*   

> User not known to the underlying authentication module.

 

----------

## pianosaurus

It seems I'm still learning new things about your requirements. I thought the whole idea was to refuse local login when LDAP was available.

Do the LDAP and local users overlap at all? Are all LDAP users also local? You could tell LDAP to ignore users that doesn't exist, but I don't know if that is what you want:

```
account       required     pam_ldap.so ignore_authinfo_unavail ignore_unknown_user
```

----------

## ganiman

Looks like that worked, thanks!.  I am now able to log in with a local account or an ldap account which is a member of a specific group.  This is exactly the behavior I was looking for.

Here is my system-auth:

```
auth       required     pam_env.so

auth       sufficient   pam_unix.so try_first_pass likeauth nullok

auth       sufficient   pam_ldap.so use_first_pass

auth       required     pam_deny.so

account    required     pam_ldap.so ignore_authinfo_unavail ignore_unknown_user

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3

password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow

password   sufficient   pam_ldap.so use_authtok use_first_pass

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

session    optional     pam_ldap.so

session    required     pam_mkhomedir.so skel=/etc/skel/
```

----------

