Restricting account logins using LDAP and PAM

ubuntu ldap pam
21,775

Solution 1

PAM has the ability to restrict access based on an access control list (at least on Ubuntu) which, like kubanskamac's answer (+1) regards the groups as posix groups, whether they're stored in LDAP, /etc/group or NIS.

/etc/security/access.conf is the access list file. In my file, I put at the end:

-:ALL EXCEPT root sysadmin (ssh-users):ALL

This denies everyone except root, sysadmin and in the group ssh-users (which is in LDAP) wherever they login from (the second ALL).

Then in my PAM account file (this IS an account module), I add at the very end:

account required pam_access.so

which tells PAM to use this file. It works a treat :-)

Solution 2

I would simply use

auth required    pam_listfile.so   sense=accept item=group file=/etc/groups.allow onerr=fail

to allow only specific groups (both for local and LDAP groups). This way you don't have to specify anything in ldap.conf.

If you want to keep authorization your way, you shouldn't filter users on "account" pass. I believe you should rather do it on "auth" pass. Secondly, as you can see yourself, pam_unix processes both local and LDAP accounts (at least on the "account" pass), so it seems there is no need for pam_ldap at all.

EDIT: Thirdly, if you insist on having stuff on "account" pass (which I believe could have strange side effects), your sequence should end with: ..., "sufficient pam_ldap", "required pam_localuser", "required pam_unix". I mean, if you have any other modules, move them before pam_ldap - otherwise they would be ignored for LDAP accounts due to "sufficient" clause.

Share:
21,775

Related videos on Youtube

Andy Shellam
Author by

Andy Shellam

Skills: Windows Server 2003 Redhat Linux Ubuntu Linux

Updated on September 17, 2022

Comments

  • Andy Shellam
    Andy Shellam almost 2 years

    I was hoping some PAM/LDAP gurus may be able to help me out here. I've recently set up an LDAP directory on Ubuntu Server to hold accounts for both my clients (for use with web-based systems) and staff (who will need to login via SSH.)

    The LDAP authentication is working perfectly. However I cannot get the account restrictions working: staff accounts will have IDs between 2001 and 2999 and will be a member of the ssh-users group to allow them to login to servers.

    The restrictions in question are in /etc/ldap.conf, and are pam_min_uid, pam_max_uid and pam_groupdn.

    pam_groupdn contains the full DN to my ssh-users group. pam_min_uid = 2000 and pam_max_uid = 2999.

    Now, I've managed to get them working by adding:

    account [success=1 default=ignore] pam_ldap.so

    above the pam_unix.so line in /etc/pam.d/common-account. However, the local Unix accounts can then NOT login: the SSH server kills the connection as soon as they try.

    I've set the pam_ldap.so module to sufficient in the above file, but then the invalid users get a message saying they cannot login, but it logs them in anyway.

    So, how can I set these account restrictions for LDAP users, while still allowing UNIX users to login?

    As you can probably guess I'm a newbie to PAM, although I have managed to get the "automatically make home directories" module working :-)

    Many thanks, Andy

  • Andy Shellam
    Andy Shellam over 14 years
    I think pam_unix is using the getent calls to retrieve the account information - which uses LDAP as in /etc/nsswitch.conf. Those lines were added to the PAM config files by the libpam-ldap package installer. The default action of pam_groupdn wasn't doing anything, and while searching for answers, someone said that it wouldn't take effect unless the pam_ldap.so module was used during the "account" pass. If possible I'd rather keep the settings in ldap.conf as it's related specifically to LDAP.
  • Andy Shellam
    Andy Shellam over 14 years
    Everything I read about PAM indicates that account is the right section for this. auth - Identifies the user and authenticates the account account - Checks user account characteristics, such as password aging, login time restrictions, and remote login restrictions This isn't an authentication issue - because the username/password is correct, and the user can be identified. It's an account restriction because I don't want some accounts to be able to login.
  • crb
    crb almost 14 years
    It's worth noting that you may need to put pam_access.so at the very beginning of your PAM account file to have it take effect.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

PAM / LDAP authentication with Ubuntu 10.04
PAM with LDAP and add an exception for local user
libpam-ldap or libpam-ldapd?
Where are passwords stored?
LDAP/Pam: No passwd entry for user while getent passwd shows all LDAP users
Restrict ssh login from LDAP to users who have a /home directory
text based tool for ldap queries
While trying to ssh, pam_ldap always sends the password "INCORRECT" causing bind to fail
pam_sss access denied with kerberos authentication ok
Public key authentication for LDAP users using local authorized_keys