How to only allow users and/or groups access certain client machines that are connected to an openldap server?
I don't think you'll be able to do this without changing client configs. However, after the client computers all set up, you'll be able to manage this from the LDAP server.
One way to achieve this is:
Write an
access_ldap.conf
file which contains this, and put it/etc/security
:+:root:ALL -:ALL EXCEPT (the_group_that_has_access):ALL
There is an
access.conf
file in/etc/security/
but that is usually included in some system rulesets in/etc/pam.d
, so it is more difficult to edit that, since you have to ensure that system daemons can "login", thus, you can't lock out everyone but a single group without writing rules for system users. Having a separate file is less hassle.Note that the parentheses around the group name indicate that the name is in fact a group name (
pam_access.so
looks for a group if it can't find the user, and because of this, the parentheses might be called superfluous, but this is the "proper" way to refer to groups).Also, the first line grants access to root in any case. You may want to add other users/groups as well, for anyone not listed in this file will be locked out by the second line.
You want
login
andssh
to favor this new config, but other services should work as they used to be. In order to achieve this, edit thelogin
andsshd
files in/etc/pam.d
to contain this line:account required pam_access.so accessfile=/etc/security/access_ldap.conf
This way, only members of the given group will be able to access the computer via ssh or login. The group membership, and thus, access to the computers, can be managed in LDAP.
Related videos on Youtube
Alex Lowe
Updated on September 18, 2022Comments
-
Alex Lowe over 1 year
I would really like to figure out how I can allow users and/or groups access to certain client machines that are all connected to an OpenLDAP server. I would like to do this whether the user is sitting right in front of the client machine itself or whether he/she is SSH into it. One last thing I would like to be able to manage this all from the OpenLDAP server rather than the client if possible that is.
Thanks, Alex
-
Alex Lowe almost 8 yearsCan't I also use some attribute that is built into openLDAP?
-
Lacek almost 8 yearsNot in the access.conf file. However, the
pam_ldap.so
config (/etc/pam_ldap.conf
) has apam_filter
attribute, which is ANDed with "uid=whatever" when doing LDAP lookups on authentication. If you want this based upon a certain LDAP attribute, then all you need is to change that one file. -
Alex Lowe almost 8 yearsIs that like the netgroup setup for nss?
-
Lacek almost 8 yearsNot really. Editing the
pam_ldap.conf
file this way simply adds a filter to user lookups, so users who don't have that specific attribute set to the right value won't even show up for the authentication process, and thus, for authentication purposes, the system will act if the user didn't exist. For actions not needing authentication, the user will exist, so you'll be able to see the user with theid
command, but won't be able to change it's password. -
Lacek almost 8 yearsI don't really understand this last question. You can control group memberships, and thus, access rights on the OpenLDAP server if you use the approach written in the answer. If you want to use the attribute filtering, then you will be able to control the attribute on the LDAP server. However, in either way, changing some client configs is inevitable.
-
Lacek almost 8 yearsLet us continue this discussion in chat.
-
Alex Lowe almost 8 yearsFirst question if I wanted to use
pam_filter
from thepam_ldap.so
where would the configuration file to that be because/etc/pam_ldap.conf
was empty? Second question what would be an example of how to use thepam_filter
attribute? -
Lacek almost 8 yearsOn Red Hat, the config file is called
/etc/ldap.conf
.pam_filter
can take any LDAP search string as value. This will be ANDed with(uid=<user_input>)
. For example, to prevent login for everyone who hasn't got bash as login shell:!(loginShell=/bin/bash)