[opensuse] Re: openSUSE windows Active Directory and OU=
Roger Oberholtzer wrote:
On Tue, 2009-12-01 at 20:18 +0100, Joachim Schrod wrote:
Roger Oberholtzer wrote:
On Fri, 2009-11-20 at 22:28 +0100, Lars Müller wrote:
On Wed, Nov 18, 2009 at 05:09:21PM +0100, Roger Oberholtzer wrote:
We have thousands of users in the Active Directory. I really do not want all of them to have access. In the LDAP entry, there is a OU= field for those I want to be able to log in. Is it possible to limit login to those in some specified OU= ?
See the ldap setting examples from the samba-doc package in /usr/share/doc/packages/samba/examples/smb.conf.SUSE
Plus the explanations in the smb.conf man page.
I have now looked here. I am none the wiser.
I didn't notice the original thread. If you want to limit LDAP authentication to an OU, you need to change ldap.conf and adapt nss_base_* there. (That's the conf file used by pam_ldap.)
If all persons are below the OU, that's easy, you need to specify the respective new base DN. If not, you need to specify that as an filter, then it gets a bit more complex, but the commented config clauses in this file should give you an hint.
If you want the other uids to be invisible, you also need to change nss-ldap.conf and change "base *" there.
I don't know enough about your setup to be more specific. I also don't know if that can be done via yast.
All the users share OU=RST. I want to limit valid users to those who have this.
OU=RST is usually something in the mid of the whole tree. You need to know the stuff after OU=RST as well. If you know it, do as follows: -- check that pam_ldap is used: grep for it in /etc/pam.d/*. If it appears there, everything's ok. -- Edit /etc/ldap.conf: There is base specified, at the start. This is called the base DN. Check further if nss_base_passwd is commented out or not. You need to use that clause, and supply your complete DN there, include OU=RST. (Maybe only prepend OU=RST, maybe there is some ou=people to prepend before OU=RST or insert inbetween it and the base dn.) Do the same for nss_base_shadow. If that does not work, or if you don't know the complete full DN of your people LDAP tree, you'll have to use ldapsearch to find out if you can access your account. If you don't know ldapsearch, ask here. Basically an ldapsearch call looks like ldapsearch -x -h puma -b ou=people,dc=npc,dc=de -s one \ uid=schrod and should give some output. (puma is the name of my LDAP server, schrod my login name.) If not, try it with sAMAccountName=schrod; AFAIR for some versions of AD sAMAccountName is used as the uid attribute name. That should actually be configured in ldap.conf as well, as nss_map_attribute or pam_login_attribute. If ldap.conf has a clause "ssl start_tls", you'll probably also need to add -ZZ to ldapsearch. Maybe leave "-s one" off, then it will search the whole tree from the base DN, that should give a result with information where the account records are stored in the LDAP tree. Furthermore: -- If rcnslcd is running (new since 11.1 w/ updates), you might want to configure nss-ldap.conf as well. This is used for name and uid lookup, so if you leave it as is, the other uids will still be visible, even though they can't log in. Or maybe that's what you want, YMMV. Good luck, Joachim PS: Tomorrow I'm the whole day at a client, so I'm not going to answer further emails before Thursday. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Mittwoch 02 Dezember 2009 01:36:45 schrieb Joachim Schrod:
Roger Oberholtzer wrote:
On Tue, 2009-12-01 at 20:18 +0100, Joachim Schrod wrote:
Roger Oberholtzer wrote:
On Fri, 2009-11-20 at 22:28 +0100, Lars Müller wrote:
On Wed, Nov 18, 2009 at 05:09:21PM +0100, Roger Oberholtzer wrote:
We have thousands of users in the Active Directory. I really do not want all of them to have access. In the LDAP entry, there is a OU= field for those I want to be able to log in. Is it possible to limit login to those in some specified OU= ?
See the ldap setting examples from the samba-doc package in /usr/share/doc/packages/samba/examples/smb.conf.SUSE
Plus the explanations in the smb.conf man page.
I have now looked here. I am none the wiser.
I didn't notice the original thread. If you want to limit LDAP authentication to an OU, you need to change ldap.conf and adapt nss_base_* there. (That's the conf file used by pam_ldap.)
If all persons are below the OU, that's easy, you need to specify the respective new base DN. If not, you need to specify that as an filter, then it gets a bit more complex, but the commented config clauses in this file should give you an hint.
If you want the other uids to be invisible, you also need to change nss-ldap.conf and change "base *" there.
I don't know enough about your setup to be more specific. I also don't know if that can be done via yast.
All the users share OU=RST. I want to limit valid users to those who have this.
OU=RST is usually something in the mid of the whole tree. You need to know the stuff after OU=RST as well. If you know it, do as follows: [..] Furthermore:
-- If rcnslcd is running (new since 11.1 w/ updates), you might want to configure nss-ldap.conf as well. This is used for name and uid lookup, so if you leave it as is, the other uids will still be visible, even though they can't log in. Or maybe that's what you want, YMMV.
I think you are mixing up a few things here. As far as I understood Roger he was using the Windows Domain Membership YaST Module to join an openSUSE Client into a Windows AD Domain. That does neither use pam_ldap or nss_ldap or nss- ldapd. It is using winbindd (and it's nss/pam modules), which is the preferred way to become a member in an Active Directory enviroment as winbind knows much better how to handle some of the quirks and "features" of Active Directory than the generic ldap modules do. As for the original Question, I don't know exactly if/how it is possible to restrict login on certain host to certain users/groups with winbind. Probably one of our samba experts does. Lars? -- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2009-12-02 at 11:52 +0100, Ralf Haferkamp wrote:
I think you are mixing up a few things here. As far as I understood Roger he was using the Windows Domain Membership YaST Module to join an openSUSE Client into a Windows AD Domain. That does neither use pam_ldap or nss_ldap or nss- ldapd. It is using winbindd (and it's nss/pam modules), which is the preferred way to become a member in an Active Directory enviroment as winbind knows much better how to handle some of the quirks and "features" of Active Directory than the generic ldap modules do.
I am indeed using SAMBA's winbind, as set up via YaST.
As for the original Question, I don't know exactly if/how it is possible to restrict login on certain host to certain users/groups with winbind. Probably one of our samba experts does. Lars?
I see that the Ldap DN record will probably look like this: CN=roropq,OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC where CN= will obviously differ for all, but I think the rest will be the same. As you move to the left in the OU= list, the scope narrows. It is OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC that I want to restrict login to. But how? -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2009-12-02 at 11:52 +0100, Ralf Haferkamp wrote:
I think you are mixing up a few things here. As far as I understood Roger he was using the Windows Domain Membership YaST Module to join an openSUSE Client into a Windows AD Domain. That does neither use pam_ldap or nss_ldap or nss- ldapd. It is using winbindd (and it's nss/pam modules), which is the preferred way to become a member in an Active Directory enviroment as winbind knows much better how to handle some of the quirks and "features" of Active Directory than the generic ldap modules do.
I am indeed using SAMBA's winbind, as set up via YaST.
As for the original Question, I don't know exactly if/how it is possible to restrict login on certain host to certain users/groups with winbind. Probably one of our samba experts does. Lars?
I see that the Ldap DN record will probably look like this:
CN=roropq,OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC
where CN= will obviously differ for all, but I think the rest will be the same. As you move to the left in the OU= list, the scope narrows. It is OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC that I want to restrict login to. I understood. AFAIK this is currently not possible with winbind. I just learned however that you can restrict login based on groupmembership. Please have a look at the require_membership_of option for pam_winbind in the
Am Mittwoch 02 Dezember 2009 12:19:53 schrieb Roger Oberholtzer: pam_winbind man-page. That way, if you put all the desired users into one group you could restrict login to be allowed only to members of that group. -- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2009-12-02 at 14:20 +0100, Ralf Haferkamp wrote:
I see that the Ldap DN record will probably look like this:
CN=roropq,OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC
where CN= will obviously differ for all, but I think the rest will be the same. As you move to the left in the OU= list, the scope narrows. It is OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC that I want to restrict login to. I understood. AFAIK this is currently not possible with winbind. I just learned however that you can restrict login based on groupmembership. Please have a look at the require_membership_of option for pam_winbind in the pam_winbind man-page. That way, if you put all the desired users into one group you could restrict login to be allowed only to members of that group.
Which begs the question: How, in this context, do I put all users in the same group? -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2009-12-02 at 14:20 +0100, Ralf Haferkamp wrote:
I see that the Ldap DN record will probably look like this:
CN=roropq,OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC
where CN= will obviously differ for all, but I think the rest will be the same. As you move to the left in the OU= list, the scope narrows. It is OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC that I want to restrict login to.
I understood. AFAIK this is currently not possible with winbind. I just learned however that you can restrict login based on groupmembership. Please have a look at the require_membership_of option for pam_winbind in the pam_winbind man-page. That way, if you put all the desired users into one group you could restrict login to be allowed only to members of that group.
Which begs the question:
How, in this context, do I put all users in the same group? I am not sure if I understand you problem. But I would use the Windows MMC to create a new group (e.g. linux-user) and make all the desired users members of
Am Mittwoch 02 Dezember 2009 14:51:33 schrieb Roger Oberholtzer: that group. Is there a problem with that? -- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2009-12-02 at 14:57 +0100, Ralf Haferkamp wrote:
On Wed, 2009-12-02 at 14:20 +0100, Ralf Haferkamp wrote:
I see that the Ldap DN record will probably look like this:
CN=roropq,OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC
where CN= will obviously differ for all, but I think the rest will be the same. As you move to the left in the OU= list, the scope narrows. It is OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC that I want to restrict login to.
I understood. AFAIK this is currently not possible with winbind. I just learned however that you can restrict login based on groupmembership. Please have a look at the require_membership_of option for pam_winbind in the pam_winbind man-page. That way, if you put all the desired users into one group you could restrict login to be allowed only to members of that group.
Which begs the question:
How, in this context, do I put all users in the same group? I am not sure if I understand you problem. But I would use the Windows MMC to create a new group (e.g. linux-user) and make all the desired users members of
Am Mittwoch 02 Dezember 2009 14:51:33 schrieb Roger Oberholtzer: that group. Is there a problem with that?
Yes. The AD is company-wide, with thousands of members. They do not let folk play with it. Linux has to use the AD as it is. I think this is the way it usually is in an organization of any size. In fact, they use the Novell Client for Windows for login. Perhaps there is something that can be used from that? So far, I have not come across anything. It seems the AD is the only authentication route available. -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Mittwoch 02 Dezember 2009 15:09:27 schrieb Roger Oberholtzer:
On Wed, 2009-12-02 at 14:57 +0100, Ralf Haferkamp wrote:
Am Mittwoch 02 Dezember 2009 14:51:33 schrieb Roger Oberholtzer:
On Wed, 2009-12-02 at 14:20 +0100, Ralf Haferkamp wrote:
I see that the Ldap DN record will probably look like this:
CN=roropq,OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC
where CN= will obviously differ for all, but I think the rest will be the same. As you move to the left in the OU= list, the scope narrows. It is OU=RST,OU=KAJ24,OU=MMA,OU=SYD,OU=SCC that I want to restrict login to.
I understood. AFAIK this is currently not possible with winbind. I just learned however that you can restrict login based on groupmembership. Please have a look at the require_membership_of option for pam_winbind in the pam_winbind man-page. That way, if you put all the desired users into one group you could restrict login to be allowed only to members of that group.
Which begs the question:
How, in this context, do I put all users in the same group?
I am not sure if I understand you problem. But I would use the Windows MMC to create a new group (e.g. linux-user) and make all the desired users members of that group. Is there a problem with that?
Yes. The AD is company-wide, with thousands of members. They do not let folk play with it. Ok, I was (wrongly) assuming that you had administrative rights on the AD and were allowed to make changes there. Assuming that there is no way to restrict login with winbind to a specific OU (I don't think there is one, until winbind has some support for Group Policies, but that would require some administrative changes on the AD Server as well) I don't know a way to solve your problem. You could probably ask on the samba Mailinglist:
https://lists.samba.org/mailman/listinfo/samba (You could of course switch to pam_ldap/nss_ldap but I would try to avoid that when using AD)
Linux has to use the AD as it is. I think this is the way it usually is in an organization of any size.
In fact, they use the Novell Client for Windows for login. Perhaps there is something that can be used from that? So far, I have not come across anything. It seems the AD is the only authentication route available.
-- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Joachim Schrod -
Ralf Haferkamp -
Roger Oberholtzer