Red Hat Bugzilla – Bug 627057
SSH_Filter usage undocumented, not intuitive
Last modified: 2010-08-26 03:36:37 EDT
Description of problem:
openssh-ldap group filter is undocumented
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. setting SSH_Filter to the group dn, the group cn, and just the naked group name itself does not seem to work
/usr/libexec/openssh/ssh-ldap-helper -f /etc/openldap/ldap.conf -s %u
produces no results.
members of the SSH_Filter group should function
I know this isn't a bug, but it isn't documented at all that I can see and I can't determine the "correct" thing to put there.
Note that the ldap server is 389 Directory Server, and the nss info is being served by sssd. The user mapping works fine, and ssh-ldap-helper gets keys if I remove the filter completely. If necessary, I can simply add the following line to pam.d/system-auth, to have the desired result - would just like to do it with the way you seem to be intending.
auth requisite pam_succeed_if.so user ingroup (groupname) quiet_success
The filter syntax is a plain LDAP filter syntax, this string is pasted as is at the end of the search string.
running "ssh-ldap-helper -vvv" I see where I was confused; like you said, it's just being added to the filter.
debug3: LDAP search scope = 2 (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=testuser)(&(cn=testgroup)(objectClass=posixgroup)))
Obviously ldap doesn't do joins, so there's nothing that can be added to the filter to search for secondary groups; the posixAccount objectclass doesn't even have a "secondarygroups" attribute.
This can be closed; SSH_Filter is used for something different than what I thought. I can just use AllowGroups in sshd_config instead, or the pam_succeed_if add to system-auth
If you have an idea how make the documentation better, send it, please.