We use Active Directory (2003 and 2008) for all our users (70% Linux, 30% Windows). Normal user authentication works fine. I now have a situation where on a particular server I need to restrict the users that can login to members of a particular group in ADS. So I created the group and added the users in. Then I set in pam_ldap.conf
pam_groupdb cn=<group>,ou=Applications,dc=<domain>,dc=<tld>
and
pam_member_attribute memberOf
However, this does not seem to make any difference. I stopped nscd (just in case), but I can still log in using credentials of a user who is not a member of this group. Does anybody have experience with this?
There are other workarounds, but they are rather ugly and I would prefer not having to use them (e.g. extract all users via ldapsearch in a cron job and then put them into a list of allowed users, etc…). Oh, yes, I can see the members of this group just fine using ldapsearch. And I can see individual user's group memberships just fine, also using ldapsearch. I have put sshd on that server into debug mode, but the logs don't reveal anything useful. Any pointers would be highly appreciated.
Best Answer
It appears to me that your settings have a typo in them. I believe that pam_groupdb should instead be pam_groupdn.
from the manual:
...
pam_groupdn Specifies the distinguished name of a group to which a user must belong for logon authorization to succeed.
pam_member_attribute Specifies the attribute to use when testing a user’s membership of a group specified in the pam_groupdn option.
...