PAM service is excluded for LUM group but users in the group are still able to access the service

  • 7002718
  • 20-Feb-2009
  • 27-Apr-2012


Novell Open Enterprise Server (Linux based)
Linux User Management


LUM enabled group was modified to exclude a PAM enabled service.
uamPosixPAMServiceExcludeList: attribute contains the service name. 
EXAMPLE:  uamPosixPAMServiceExcludeList:sshd

LUM enabled group is associated with the workstation where the user is logging in.
uamPosixWorkstationList: contains the name of the workstation object
EXAMPLE: uamPosixWorkstationList: cn=UNIX Workstation - linux,ou=workstations,o=novell

Users who are a member of the group are still able to use the excluded service.
EXAMPLE:  user can ssh into "linux" workstation.

LUM on the workstation is not configured to use a proxy user.
Check by using namconfig get

LDAP server is not configured to use a proxy user.
Check in iManager | Roles and Tasks | LDAP | LDAP Options | View LDAP Group | Choose the LDAP group associated with the LDAP Server LUM is pointing to per preferred-server in  /etc/nam.conf on the workstation | Proxy user.

LUM enabled group is missing ACL for [PUBLIC] for uamPosixPAMServiceExcludeList.
Check using ldapsearch authenticated as admin account.
ldapsearch -D <adminFDN> -w <password> -x -b <group context> cn=<groupname>
EXAMPLE:  ldapsearch -D cn=admin,o=novell -w novell -x -b ou=groups,o=novell cn=lumgroup
Look for:
ACL: 2#entry#[Public]#uamPosixPAMServiceExcludeList
NOTE:  ldapsearch command will require the ability to authenticate with simple bind without TLS. Require TLS for simple binds with password can be unchecked from the LDAP group accessed in iManager as above or by using ldapconfig.
EXAMPLE:  ldapconfig set "Require TLS for Simple Binds with Password=no"


Without a Proxy user in /etc/nam.conf or a Proxy user on the LDAP group, LUM will only have rights available to {PUBLIC].  By default [PUBLIC] doesn't have rights to read the uamPosixPAMServiceExcludeList attribute.

The LUM plugin will add this attribute when a group is LUM enabled.  If the group with LUM enabled in another way than using the LUM plugin this attribute can be missing.

To manually add the ACL in iManager:
Roles and Tasks | Rights | Modify Trustees | Choose the LUM enable group | For [PUBLIC] choose Assigned Rights | Add Property | Mark - Show all properties in schema | Choose uamPosixPAMServiceExcludeList | Mark - Read | Done