How to only allow users and/or groups access certain client machines that are connected to an openldap server?

ldap authentication openldap pam
5,600

I don't think you'll be able to do this without changing client configs. However, after the client computers all set up, you'll be able to manage this from the LDAP server.

One way to achieve this is:

  1. Write an access_ldap.conf file which contains this, and put it /etc/security:

    +:root:ALL
-:ALL EXCEPT (the_group_that_has_access):ALL

    There is an access.conf file in /etc/security/ but that is usually included in some system rulesets in /etc/pam.d, so it is more difficult to edit that, since you have to ensure that system daemons can "login", thus, you can't lock out everyone but a single group without writing rules for system users. Having a separate file is less hassle.

    Note that the parentheses around the group name indicate that the name is in fact a group name (pam_access.so looks for a group if it can't find the user, and because of this, the parentheses might be called superfluous, but this is the "proper" way to refer to groups).

    Also, the first line grants access to root in any case. You may want to add other users/groups as well, for anyone not listed in this file will be locked out by the second line.

  2. You want login and ssh to favor this new config, but other services should work as they used to be. In order to achieve this, edit the login and sshd files in /etc/pam.d to contain this line:

    account  required     pam_access.so accessfile=/etc/security/access_ldap.conf

This way, only members of the given group will be able to access the computer via ssh or login. The group membership, and thus, access to the computers, can be managed in LDAP.

Share:
5,600

Related videos on Youtube

Alex Lowe
Author by

Alex Lowe

Updated on September 18, 2022

Comments

  • Alex Lowe
    Alex Lowe over 1 year

    I would really like to figure out how I can allow users and/or groups access to certain client machines that are all connected to an OpenLDAP server. I would like to do this whether the user is sitting right in front of the client machine itself or whether he/she is SSH into it. One last thing I would like to be able to manage this all from the OpenLDAP server rather than the client if possible that is.

    Thanks, Alex

  • Alex Lowe
    Alex Lowe almost 8 years
    Can't I also use some attribute that is built into openLDAP?
  • Lacek
    Lacek almost 8 years
    Not in the access.conf file. However, the pam_ldap.so config (/etc/pam_ldap.conf) has a pam_filter attribute, which is ANDed with "uid=whatever" when doing LDAP lookups on authentication. If you want this based upon a certain LDAP attribute, then all you need is to change that one file.
  • Alex Lowe
    Alex Lowe almost 8 years
    Is that like the netgroup setup for nss?
  • Lacek
    Lacek almost 8 years
    Not really. Editing the pam_ldap.conf file this way simply adds a filter to user lookups, so users who don't have that specific attribute set to the right value won't even show up for the authentication process, and thus, for authentication purposes, the system will act if the user didn't exist. For actions not needing authentication, the user will exist, so you'll be able to see the user with the id command, but won't be able to change it's password.
  • Lacek
    Lacek almost 8 years
    I don't really understand this last question. You can control group memberships, and thus, access rights on the OpenLDAP server if you use the approach written in the answer. If you want to use the attribute filtering, then you will be able to control the attribute on the LDAP server. However, in either way, changing some client configs is inevitable.
  • Lacek
    Lacek almost 8 years
  • Alex Lowe
    Alex Lowe almost 8 years
    First question if I wanted to use pam_filter from the pam_ldap.so where would the configuration file to that be because /etc/pam_ldap.conf was empty? Second question what would be an example of how to use the pam_filter attribute?
  • Lacek
    Lacek almost 8 years
    On Red Hat, the config file is called /etc/ldap.conf. pam_filter can take any LDAP search string as value. This will be ANDed with (uid=<user_input>). For example, to prevent login for everyone who hasn't got bash as login shell: !(loginShell=/bin/bash)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

LDAP authentication fails
How can I set up centralized home directories and user authentication using LDAP and NFS?
LDAP/Pam: No passwd entry for user while getent passwd shows all LDAP users
While trying to ssh, pam_ldap always sends the password "INCORRECT" causing bind to fail
pam_sss access denied with kerberos authentication ok
Public key authentication for LDAP users using local authorized_keys
Cyrus on CentOS with sasl / pam / ldap
Allowing LDAP users to change password
Open LDAP Authentication - How to verify userPassword without bind?
Find users currently logged in using ldap?