I'm attempting to setup authentication via ldap for OpenSSH connections on our FreeBSD servers in AWS. The actual ldap server is external to AWS and is accessed over the Internet.
I've run into a problem with limiting access to the servers. When using pam_ldap and nss_ldap with OpenLDAP client (PADL versions), everything works fine using the appropriate filter. However, it was taking several minutes to login. After doing some reading, I switch over to nslcd and it seemed to speed things up a lot, but I'm unable to get the filters working properly to limit access.
Also, I've noticed that users do not have all of their secondary group memberships present so I'm unable to workaround this with a different pam filter or the AllowGroups feature in the sshd config file.
The ldap server in question is a huge university wide installation so there are thousands of groups.
I've tried a filter similar to the following with no luck.
filter passwd (&(objectClass=posixAccount)(memberOf=CN=customgroup,ou=User
Groups,OU=groups,DC=thedomainoftheuniversity,DC=edu))
Any suggestions on what could be wrong with this filter or ideas on how to get all the group memberships to show up so I can use another approach?
Update:
I learned that the memberOf attribute is not part of the schema and that the LDAP server is eDirectory. I need to find a way to filter from the groups over the users. The groups do implement posixGroup and have member attributes populated.
Best Answer
I've still been unable to get secondary groups to show up on users but limiting is now working. This configuration is limited by two groups and also filtering based on OU attributes on the user record.