Environment
Novell Open Enterprise Server (Linux based)
Linux User Management
Linux User Management
Situation
LUM enabled group was modified to exclude a PAM enabled service.
uamPosixPAMServiceExcludeList: attribute contains the service name.
EXAMPLE: uamPosixPAMServiceExcludeList:sshd
LUM enabled group is associated with the workstation where the user is logging in.
uamPosixWorkstationList: contains the name of the workstation object
EXAMPLE: uamPosixWorkstationList: cn=UNIX Workstation - linux,ou=workstations,o=novell
Users who are a member of the group are still able to use the excluded service.
EXAMPLE: user can ssh into "linux" workstation.
LUM on the workstation is not configured to use a proxy user.
Check by using namconfig get
proxy-user-fdn=
proxy-user-pwd=
LDAP server is not configured to use a proxy user.
Check in iManager | Roles and Tasks | LDAP | LDAP Options | View LDAP Group | Choose the LDAP group associated with the LDAP Server LUM is pointing to per preferred-server in /etc/nam.conf on the workstation | Proxy user.
LUM enabled group is missing ACL for [PUBLIC] for uamPosixPAMServiceExcludeList.
Check using ldapsearch authenticated as admin account.
ldapsearch -D <adminFDN> -w <password> -x -b <group context> cn=<groupname>
EXAMPLE: ldapsearch -D cn=admin,o=novell -w novell -x -b ou=groups,o=novell cn=lumgroup
Look for:
ACL: 2#entry#[Public]#uamPosixPAMServiceExcludeList
NOTE: ldapsearch command will require the ability to authenticate with simple bind without TLS. Require TLS for simple binds with password can be unchecked from the LDAP group accessed in iManager as above or by using ldapconfig.
EXAMPLE: ldapconfig set "Require TLS for Simple Binds with Password=no"
uamPosixPAMServiceExcludeList: attribute contains the service name.
EXAMPLE: uamPosixPAMServiceExcludeList:sshd
LUM enabled group is associated with the workstation where the user is logging in.
uamPosixWorkstationList: contains the name of the workstation object
EXAMPLE: uamPosixWorkstationList: cn=UNIX Workstation - linux,ou=workstations,o=novell
Users who are a member of the group are still able to use the excluded service.
EXAMPLE: user can ssh into "linux" workstation.
LUM on the workstation is not configured to use a proxy user.
Check by using namconfig get
proxy-user-fdn=
proxy-user-pwd=
LDAP server is not configured to use a proxy user.
Check in iManager | Roles and Tasks | LDAP | LDAP Options | View LDAP Group | Choose the LDAP group associated with the LDAP Server LUM is pointing to per preferred-server in /etc/nam.conf on the workstation | Proxy user.
LUM enabled group is missing ACL for [PUBLIC] for uamPosixPAMServiceExcludeList.
Check using ldapsearch authenticated as admin account.
ldapsearch -D <adminFDN> -w <password> -x -b <group context> cn=<groupname>
EXAMPLE: ldapsearch -D cn=admin,o=novell -w novell -x -b ou=groups,o=novell cn=lumgroup
Look for:
ACL: 2#entry#[Public]#uamPosixPAMServiceExcludeList
NOTE: ldapsearch command will require the ability to authenticate with simple bind without TLS. Require TLS for simple binds with password can be unchecked from the LDAP group accessed in iManager as above or by using ldapconfig.
EXAMPLE: ldapconfig set "Require TLS for Simple Binds with Password=no"
Resolution
Without a Proxy user in /etc/nam.conf or a Proxy user on the LDAP group, LUM will only have rights available to {PUBLIC]. By default [PUBLIC] doesn't have rights to read the uamPosixPAMServiceExcludeList attribute.
The LUM plugin will add this attribute when a group is LUM enabled. If the group with LUM enabled in another way than using the LUM plugin this attribute can be missing.
To manually add the ACL in iManager:
Roles and Tasks | Rights | Modify Trustees | Choose the LUM enable group | For [PUBLIC] choose Assigned Rights | Add Property | Mark - Show all properties in schema | Choose uamPosixPAMServiceExcludeList | Mark - Read | Done
The LUM plugin will add this attribute when a group is LUM enabled. If the group with LUM enabled in another way than using the LUM plugin this attribute can be missing.
To manually add the ACL in iManager:
Roles and Tasks | Rights | Modify Trustees | Choose the LUM enable group | For [PUBLIC] choose Assigned Rights | Add Property | Mark - Show all properties in schema | Choose uamPosixPAMServiceExcludeList | Mark - Read | Done