Linux ldap authentication, pam_filter ignored

I've set up linux client authentication via ldap, it works. I want to control user's access to several services by adding or removing different OUs for accounts. E.g., if user is allowed to login linux machines, it's ou must contain "linux". If this user is allowed to access, say, redmine, it's ou must contain "redmine" also.

The problem is, pam_filter parameter in /etc/ldap.conf is ignored. When I set it

pam_filter ou=linux

the search string that comes to ldap server does not contain this filter:

openldap slapd[5374]: conn=1857 op=1 SRCH base="ou=people,dc=rwth-cbmb,dc=de" scope=2 deref=0 filter="(objectClass=posixAccount)"

As I've said, I've been using it with redmine (tickets tracking system) where I set ldap filter too and it works. I get the following search requests on the server:

openldap slapd[5374]: conn=1863 op=1 SRCH base="ou=people,dc=rwth-cbmb,dc=de" scope=2 deref=0 filter="(&(objectClass=*)(uid=alex)(ou=redmine))"

I have the following packages versions:

ldap-auth-client 0.5.3

ldap-auth-config 0.5.3

ldap-utils 2.4.28-1.1ubuntu4.2

libldap-2.4-2 2.4.28-1.1ubuntu4.2

libnss-ldap 264-2.2ubuntu2

libpam-ldap 184-8.5ubuntu2

Client ubuntu 12.04, server ubuntu server 10.04.

Solution 1:

Ok, the solution was to use

nss_base_passwd ou=people,dc=rwth-cbmb,dc=de??ou=linux

in /etc/ldap.conf on the client. According to documentation:

Syntax:

nss_base_XXX base?scope?filter

I don't know why pam_filter doesn't work, but nss_* solves the problem.

Solution 2:

Add the following line to the /etc/pam_ldap.conf file

pam_check_host_attr yes

From the pam_ldap man page:

pam_check_host_attr

Specifies whether the "host" attribute should be checked for logon authorization ("account" in the PAM stack). The default is not to. If set to "yes" and a user has no value for the "host" attribute, then the user will be unable to login.