- Red Hat Enterprise Linux 6
Openldap is not obeying the
pam_check_host_attr yes option in
/etc/pam_ldap.conf and is allowing users to log into hosts they should not have access to:
[root@server1 ~]# cat /etc/pam_ldap.conf uri ldap://server1.example.com/ ldap://server1.example.com/ base dc=example,dc=com tls_cacertdir /etc/openldap/cacerts pam_check_host_attr yes binddn cn=binduser,dc=example,dc=com ...
When a user logs in without the proper host attribute, they may receive an error message saying they do not have access to the machine, but still are allowed to login. Without the proper host attribute, they should not be able to login.
/etc/nsswitch.conf does not contain
ldap in the
shadow entry. If so, remove it:
[root@server1 ~]# cat /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ...
ldap on the
shadow: entry of
/etc/nsswitch.conf may cause host-based authentication to always succeed:
[root@server1 ~]# cat /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap ...
If there is a local account with the same username as the LDAP account,
pam_unix.so ends up providing a valid "account" via the Name Service Switch (NSS), which overrides your LDAP configuration.
1) Check valid host restrictions are specified in LDAP accounts:
[root@server1 ~]# ldapsearch -b uid=user001,ou=People,dc=example,dc=com -LLL -H ldap://server1.example.com/ -D cn=binduser,dc=example,dc=com -W Enter LDAP Password: dn: uid=user001,ou=People,dc=example,dc=com uid: user001 cn: User 001 objectClass: account objectClass: posixAccount objectClass: top loginShell: /bin/bash uidNumber: 1024 gidNumber: 1024 homeDirectory: /home/user001 gecos: User 001 host: server2.example.com <----- user001 should only be able to access server2.example.com
For more information on using the
pam_check_host_attr option, see the following article: When using LDAP authentication, how can user access be restricted on the basis of host names?
2) Notice that LDAP users who are incorrectly allowed access to restricted machines may also exist on the local machine:
[root@server1 ~]# grep user001 /etc/shadow user001:$6$PCSQh6Q4B7H2zkZ2$PpiAkwWEomXqWWy3tdBYVC.aCh9e2.gRrPJfqJjXMD1shi.SGi5hCvD6SWFyKM0uBUEqCrP5HAEGYQhc50/4D1:17123:0:99999:7:::
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.