I've set up linux client authentication via ldap, it works.
I want to control user's access to several services by adding or removing different OUs for accounts. E.g., if user is allowed to login linux machines, it's ou must contain "linux". If this user is allowed to access, say, redmine, it's ou must contain "redmine" also.
The problem is, pam_filter parameter in /etc/ldap.conf is ignored. When I set it
pam_filter ou=linux
the search string that comes to ldap server does not contain this filter:
openldap slapd[5374]: conn=1857 op=1 SRCH base="ou=people,dc=rwth-cbmb,dc=de" scope=2 deref=0 filter="(objectClass=posixAccount)"
As I've said, I've been using it with redmine (tickets tracking system) where I set ldap filter too and it works. I get the following search requests on the server:
openldap slapd[5374]: conn=1863 op=1 SRCH base="ou=people,dc=rwth-cbmb,dc=de" scope=2 deref=0 filter="(&(objectClass=*)(uid=alex)(ou=redmine))"
I have the following packages versions:
ldap-auth-client 0.5.3
ldap-auth-config 0.5.3
ldap-utils 2.4.28-1.1ubuntu4.2
libldap-2.4-2 2.4.28-1.1ubuntu4.2
libnss-ldap 264-2.2ubuntu2
libpam-ldap 184-8.5ubuntu2
Client ubuntu 12.04, server ubuntu server 10.04.
Best Answer
Ok, the solution was to use
in /etc/ldap.conf on the client. According to documentation:
I don't know why pam_filter doesn't work, but nss_* solves the problem.