Security :: [LDAP] Account To Manage/create Only Specific Users?

Oct 19, 2010

Is there a possibility in openldap to allow a user to only create/manage specific LDAP users?For example user "mailadmin" may only create/manage mail accounts in LDAP that are named like "m1342895"? Or a specific list of user accounts that are in a specific group?

View 1 Replies


ADVERTISEMENT

Security :: Setup A Kerberos + OpenLDAP Server To Manage Users For Our Samba Shares

Feb 13, 2011

Trying to setup a Kerberos + OpenLDAP server to manage users for our Samba shares (was going to use just OpenLDAP, but apparently it is less secure than using Kerberos with it). (Distro: CentOS 5.5) Haven't even gotten to the point of connecting either to Samba yet. I have set up a Kerberos server, and configured it as necessary. I am happy that it is working as intended, as I can login and manage principals from both the local terminal and remotely on other clients.

I have setup a server (sv1.myhost.net), and configured it to talk to Kerberos (auth.myhost.net). I have created both a [URL] principal, and a testuser principal. I have set the password on the testuser but not on the host/sv1.myhost.net. I have added the keys for both users to the keytab file on the sv1.myhost.net. I am at a Windows 7 machine (on the same internal network), and have installed the Network Identity Manager. It is able to request a ticket successfully for the testuser account.

When I use putty w/GSSAPI (0.58) to remote login to the system, it says using 'testuser' and then just hangs there. Eventually putty connection times out. The fact that both machines can connect to the auth server to communicate with kerberos correctly suggests firewalls are correct. The relevant entries in sshd_config have been uncommented to tell srv1 to use Kerberos authentication.

View 3 Replies View Related

Security :: Disable Account Lockout For A Specific User?

Oct 5, 2010

I am using Red Hat LDAP (version 3) and I have passwordLockout set as "on" at global level. Is there a way to disable account lockout for a specific user?

View 1 Replies View Related

Ubuntu Security :: Set Automatically Log In To A Specific User Account And At The Same Time Lock The Screen?

Jul 6, 2011

Is there a way to set Linux to automatically log in to a specific user account and at the same time lock the screen? I want to save time and trigger various software that always should start up on boot, while leaving the computer unattended during startup (extra important and practical for remote control boots), by enforcing a 'screen lock' so that no-one can see what happens behind the login screen without entering the login credentials.

View 3 Replies View Related

Ubuntu Security :: Add Users Other Than Initial Account I Created?

Mar 10, 2011

I set up a linux 10.10 desktop to run as a "server" for me. I then loaded Xrdp so that we can remote connect to the machine. My issue now is, i need to add users other than the initial account i created, but when i log into the desktop remotely, it will not let me add a new user. I cant seem to use any of the boxes in the User Settings command box. Does anyone have any suggestions?

View 9 Replies View Related

Security :: Kerberos And LDAP - Users Will Be Able To Login In To A Server On The Edge Of The LAN And Establish A SSH Connection

Feb 19, 2010

I am trying to deploy Kerberos and LDAP so users will be able to login in to a server on the edge of the LAN, and afterwards be able to establish a SSH connection to all the computers in that LAN without the need to type any passwords, and without the need for me to manage SSH keys [beside the SSH keys on the login server] and local user accounts.

1. When i create the users in OpenLDAP i use a template that i created by reading documentation from the Internet. In the template one piece of information that is neede is the UID. Is there any clever way the keep track of the numbers so i do not assign the same UID to two users, besides using a pen and paper?

2. For the users to be able to establish SSH connections between the computers, the host is going to be added to the keytab like this: ktadd host/client.example.com Is is possible to replace client with something genric so i do not need to mange these keytab files between the hosts?

3. Users will be logging on the the server on the edge of LAN by using SSH keys. How can i configure the setup so the users will recieve a ticket automatically when the logon without executing kinit and without entering a password, just by having a valid SSH key?

4. krb5kdc is running on all the network interfaces in the server i want it to only run on eth1, how can this be done?

View 2 Replies View Related

Ubuntu Security :: SSH Keys - Can I Create With Root Account

Aug 25, 2010

Can i login to my server using my root account and create a public+private key for one of my users and then manually paste it into his authorized_keys file and give him the private key?

The user im giving it to has a chrooted FTP account...

Is it still ok that i used the root account to create it? He is not going to have root access or nothing is he? This is not a security breach in any way is it?

The user doesn't have shell access to create their own so this is the only way i can think of doing it...

Also what access should the user have to their .ssh folder + the authorized_keys file...?

Are they allowed to read the key? What about write?

View 9 Replies View Related

Security :: Create Fully Isolated User Account?

May 16, 2010

I need to create such an account that the user wouldn't be able to r/w any file which doesn't belong to it, even if access mode is set to o+rw. I guess normal chmod/chown won't help here... How can i do this?

View 2 Replies View Related

Server :: Apache Authentication: Allow LDAP Group OR User Named Guest But Not All LDAP Users?

May 25, 2011

I am using RackMonkey to map out my lab. Unfortunately, due to RM limitations, every user who accesses the site has write access UNLESS they are logged in as a user named "guest". I currently have Apache allowing only the users (sysadmins) in an LDAP group access to RM, but I would like to allow read-only access for other users as well.I found mod_authn_anon, but I am having trouble combining the two authentication methods. I am using Apache 2.2.18 (compiled myself) on SLES 11.1.

This is the common part:

Code:

AuthType Basic
AuthBasicProvider ldap anon
Order allow,deny
Allow from all

This part by itself works for the LDAP authentication:

Code:

AuthName "System Admins"
AuthLDAPURL "ldaps://example.com/ou=ldap,o=example.com?mail" SSL
Require ldap-group cn=SysAdmins,ou=memberlist,ou=groups,o=example.com

This part works by itself for guest access:

Code:

Anonymous guest
Anonymous_VerifyEmail Off
Anonymous_MustGiveEmail Off
Anonymous_LogEmail on
Require valid-user

But if I have both of the previous blocks enabled at once, then guest access does not work. If I throw in a "Satisfy any", then I am not prompted for a username at all. How can I allow access to this LDAP group and to a user named "guest", but not allow all valid LDAP users to log in?

View 1 Replies View Related

General :: Openssh + PAM + LDAP Fails Only With LDAP Users?

Mar 31, 2010

I've compiled openssh-5.4p1 on RHEL 4.8 with Openssl 0.9.8m + pam It works perfect without pam (pam-0.77-66), both with password and public key auth. Whith pam enabled and LDAP (openldap-2.4.21, from scratch) something strange happens: system users: I can do ssh with both password and public key LDAP users: public key works for remote users, still I cannot do ssh with just password. I'm trying a custom PAM configuration, because the default one (even with authconfig + LDAP ) blocks ssh even with system users.

My pam SSHD configuration is:

#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass

[code]....

My LDAP users are ok: i can do "su - " remote LDAP (so that nss_ldap is OK), also getent passwd and getent group is ok.

View 2 Replies View Related

Ubuntu Security :: Desire - Create A Bash Script That Launches Skype Under A Separate User Account?

Mar 13, 2010

I want to jail Skype into its own process and not the one I login with. That way, if a hacker breaks in, it's limited to this process and only the limited functionality that that user account has. The thing is this -- thousands of Linux guys run Skype, but Skype is hardly ever updated or have security patches, and we run it all the time. It seems like an easy avenue for an exploit. As well, my iptables firew all blocks input connections that I have not established, but Skype is an established connection. How do I create a Bash script that launches Skype under a separate user account?

View 3 Replies View Related

Security :: Centralize Users And Passwords And Also Create Controls For User Access To Some Equipment?

May 12, 2011

I'm planning to centralize users and passwords and also create controls for user access to some equipment, for example, Linux Servers, Switches, routers and firewalls. In case of failure of the link between the ACS and AD or equipment to the ACS, this device would use local username and password.

At the moment, my AD structure is a Microsoft, Cisco ACS servers and Linux Standalone. I wish that both linuxs servers and network equipment were authorized by Cisco ACS on the accounts that are in Microsoft AD.

The configuration of the Cisco ACS to use the AD is done and no problems, the network equipment is OK too, but am having difficulties configuring the server for this solution.

View 1 Replies View Related

General :: Allow A User To Manage The Users?

Jan 22, 2010

i want to allow the user winny to manage users...i have added the following lines to the visudo file.

#user alias specification
User_Alias LIMITEDTRUST = winny
#command alias specification

[code]...

View 13 Replies View Related

Debian :: Gui In XFCE To Manage Users And Groups?

Aug 26, 2011

Running Wheezy with an XFCE desktop. Is there anything I can install to manage users and groups from a gui

View 2 Replies View Related

Server :: How To Delete User Account From LDAP

Feb 4, 2010

I configured LDAP. But added a user mistakenly, how can I delete that user account from LDAP. How to create home directory for LDAP users.......

View 1 Replies View Related

Fedora Servers :: Pptp - GUI - Command Line To Manage Users - Monitor?

Nov 26, 2010

I am going to build a Linux VPN server(PPTP) for my friend but here is the problem: He don't know Linux and command line to manage users, monitor server, etc

View 1 Replies View Related

Ubuntu Servers :: Prompt Root Password When Attempt To Manage Users And Groups Through The GUI

Mar 20, 2010

So i have a fresh install of the server edition of Karmic, i'm running the Xfce desktop. When I attempt to manage users and groups through the GUI, I am prompted for what I think is the root password, the reason I say this is because the account I am currently logged in has sudo privileges and it does not accept that password at all, but I read that by default the root account is 'locked,' (to be honest it was so long ago since I last installed Ubuntu I completely forgot if it is or isn't, my current desktop installation has su access) is it asking for the root password? why doesn't my current user account password work if the root account is 'locked'? I can perform all other administrative tasks with sudo no problem.

the funny thing is, I have the exact same setup in a virtual machine, the same problem happens, except for some strange reason after changing the password on the only account (besides root), the password required to administer users and groups stayed the same after the change. (at the time of installation I just put both the user and root password the same and now that it is setup), i'm now ready to change the passwords. except now I read that the root account is locked by default, but this strange problem occurs.

View 2 Replies View Related

Server :: Virtual LDAP Server And Virtual Mediawiki Host - Can't Login With Users From LDAP

Jun 5, 2011

In the past I found some great help on this forum, so here goes. Bare with me because it's a long story. I'll try to be as complete as possible. I've installed and configured OpenLdap on a virtual machine with ip 192.168.39.134. I've added 2 users via LAM. In the ou WikiUsers and the domain is wiki.local.

I've then created another host with ip 192.168.39.133 with mediawiki installed on it. Then I added the extension LDAPAuthenthication. In the LdapAuthentication file I added this code (only the last paragraph is mine, I added the others to show it's location in the script):

Quote:

$path = array( $IP, "$IP/includes", "$IP/languages" );
set_include_path( implode( PATH_SEPARATOR, $path ) . PATH_SEPARATOR . get_include_path() );

[code]...

I know I'm close because I can't register any new users or accounts on the mediawiki site. Although I could before I added the LDAP service. This is indeed all just to test and get to know how LDAP works. That's why it's all virtual in VMWare. I did not really configure anything on the LDAP, i just installed it and chose a domain (wiki.local).

View 5 Replies View Related

Ubuntu Servers :: Login With Ldap Account From Client (karmic)?

Jul 11, 2010

how to login with ubuntu ldap server account from ubuntu client(karmic). Ubuntu server and client setup is done properly but not knowing how to login to ldap server graphically from ubuntu client. I don't want to login via SSH

View 2 Replies View Related

Software :: Thunderbird Failing To Start In Ldap User Account / Fix It?

Mar 28, 2011

I recently configured my client to log on using my (open)ldap account. Since then I could not get thunderbird started from my ldap account. But if I su to one of the local accounts, it opens.

My client is Fedora14.

View 6 Replies View Related

CentOS 5 Server :: Allow Only Specific LDAP Group Access?

Apr 26, 2010

I've several servers (windows+linux) that authenticate to an LDAP server. There is one machine that I would like to allow only certain groups from LDAP server to have access and I am not sure where to start.

If that cannot be done, is it possible to disable LDAP root user to access these machines?

View 4 Replies View Related

General :: How To Manage / Create Partitions For Multiple OS

Aug 3, 2011

How do I divide my hard drive into multiple OS'es/partitions for my test machine? For example:
Win XP
Win 7
Gentoo
Ubuntu
Storage
Can Linux'es share swap area? I was told to leave the first primary for the grub and linux cores.

View 1 Replies View Related

Server :: Ldap Password Sync With Samba And Unix User Account?

Apr 21, 2010

I setup openldap and samba on 9.10. The ubuntu desktop client gets authenticated successfully with the server.

But when I do a passwd on the client, only the ldap passwd is getting changed but not in the samba and the unix user account.

My smb.conf

Code:
passdb backend = ldapsam:ldap://192.168.3.100
ldap suffix = dc=example,dc=local
ldap user suffix = ou=People
ldap group suffix = ou=Groups

[Code]....

View 4 Replies View Related

Ubuntu Servers :: App To "manage" Your Craigslist Account?

Jan 7, 2011

Is anybody aware of an app to "manage" your craigslist account? By manage I mean delete and repost ads every 3 days, auto fill captcha or pop it up for you to fill, etc. The craigslist website is awkward, slow, pathetic, and just a plain annoying waste of time but I've never as successfully gotten rid of the junk around my house with other websites...

View 1 Replies View Related

Server :: Add Users To Groups With Ldap?

Jan 18, 2010

how to add users to groups with ldap? Further, could someone point me towards some good command-line management tools? Creating each dn manually is going to get old real fast...

View 14 Replies View Related

Ubuntu Servers :: Propagate Ldap Password Change To Samba And Unix User Account?

Apr 21, 2010

I setup openldap and samba on 9.10. The ubuntu desktop client gets authenticated successfully with the server. But when I do a passwd on the client, only the ldap passwd is getting changed but not in the samba and the unix user account.

My smb.conf

Code:

passdb backend = ldapsam:ldap://192.168.3.100
ldap suffix = dc=example,dc=local
ldap user suffix = ou=People
ldap group suffix = ou=Groups

[code].....

But only the ldap password is getting changed and not in the samba and unix user account.

I tried

unix password sync = yes

but same result.

View 1 Replies View Related

Software :: GNUCash Crashes - Cannot Open Specific Account

Mar 12, 2010

I have been using gnucash for years and never had any problems but now every time I try to load it it crashes upon trying access an account. The sequence is that it first tells me it cannot get a lock on ANY of my files reporting that they may be in use by somebody else; this is impossible. However when I do load it the initial list of accounts installs.

However when I try to open any specific account Gnucash crashes. I am using Mepis 8.0 and Gnucash 2.2.6 directly from the repositories. I have removed it and reinstalled it but to no avail. I have tried to install version 2.2.9 as a tar file but I keep getting dependency errors despite the fact the files are installed.

View 1 Replies View Related

Software :: Resend A Message To Specific Mail Account?

Jul 12, 2010

how i can resend a message to specific mail account and not delete it when qtrap is enabled in a domain? If qtrap find a word in a mail, delete the mail but i want resend to
another mail address?

OS: centos 5.4
qmailinstall: qmailtoaster.

View 1 Replies View Related

OpenSUSE Network :: Import Users Into Ldap?

Apr 16, 2010

Now I have my ldap server doing authentication and providing autofs maps perfectly the next question ... is there a utility anywhere that will allow me to stuff 1200 users into the ldap server from a csv file

View 4 Replies View Related

Ubuntu Networking :: 10.04 LDAP Users Cannot SU To Root

Jun 14, 2010

I have an Openldap server and many 9.10 servers using it to check for possible ssh users. No problems there. Just brought up my first 10.04 server and went through the same procedure to allow ldap users to ssh in, works great. The problem is that ldap users cannot su to root on the 10.04 server. Only locally defined users can su to root, though they cannot su to ldap users. The local root user can su to anyone. Quick overview of how I installed ldap login:

Code:
# apt-get install libnss-ldap
# echo "session required pam_mkhomedir.so skel=/etc/skel/" >> /etc/pam.d/common-session
And added ldap to the end of these lines in /etc/nsswitch.conf:

Code:
passwd: compat ldap
group: compat ldap
shadow: compat ldap

This process has worked without a hitch on 9.10 dozens of times. So my question is, why are ldap and local users now incapable of using su across authentication mechanisms? For reference these are the error messages in /var/log/auth.log when trying to su to root from an ldap user:

Code:
Jun 14 16:17:07 server unix_chkpwd[6560]: check pass; user unknownJun 14 16:17:07 server unix_chkpwd[6560]: password check failed for user (root)
Jun 14 16:17:07 server su[6559]: pam_unix(su:auth): authentication failure; logname=ldapuser uid=2000 euid=2000 tty=/dev/pts/5 ruser=ldapuser rhost= user=root
Jun 14 16:17:09 server su[6559]: pam_authenticate: Authentication failure
Jun 14 16:17:09 server su[6559]: FAILED su for root by ldapuser
And the auth.log for trying to su to an ldap user from a local one:

Code:
Jun 14 17:18:18 server su[8473]: pam_unix(su:auth): authentication failure; logname=localuser uid=1000 euid=1000 tty=/dev/pts/0 ruser=localuser rhost= user=ldapuser
Jun 14 17:18:18 server su[8473]: Successful su for ldapuser by localuserJun 14 17:18:18 server su[8473]: + /dev/pts/0 localuser:ldapuser
Jun 14 17:18:18 server su[8473]: bad group ID `2000' for user `ldapuser': Operation not permitted

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved