Disallow ldap user to log to specific server

Support for security such as Firewalls and securing linux
Post Reply
TONAY
Posts: 2
Joined: 2012/01/06 13:03:39

Disallow ldap user to log to specific server

Post by TONAY » 2012/01/06 13:12:07

I've set up an openldap server and created some posix accounts in it. The clients are CentOS & RedHat servers. All the users defined in the ldap are able to log on any client and that's my problem.

Some of the users should be able to log only on some clients not all of them. Here is an example:

a few users : User1, User2, User3
a few clients : server1, server2, server3.

Now every users can connect on every clients, what i want is :
User1, User3 can connect on every server
User2 can only connect on server2

Is there a way to do that ? Maybe is there an attribute where i could put a list of allowed servers for a posixaccount ?

Regards

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Disallow ldap user to log to specific server

Post by jlehtone » 2012/01/07 13:28:24

I think there is a "host" ldap attribute in some account schema, but it requires
that the pam (in /etc/ldap.conf) in each server has been told to check that
attribute.

Start by reading the comments from the /etc/ldap.conf. Or have you moved
on to using the sssd?

TONAY
Posts: 2
Joined: 2012/01/06 13:03:39

Re: Disallow ldap user to log to specific server

Post by TONAY » 2012/01/10 08:32:41

I haven't move to sssd yet ... I'll look for the host attribute.

Thx

KermitDaFragger
Posts: 195
Joined: 2009/09/11 19:23:05
Location: the Netherlands

Re: Disallow ldap user to log to specific server

Post by KermitDaFragger » 2012/01/12 23:07:12

I think you can use "pam_filter" for that in "/etc/ldap.conf" to require the user to be part of a specific group. That way you can even manage access from your LDAP directory.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Disallow ldap user to log to specific server

Post by jlehtone » 2012/01/13 22:17:41

Yes. https://help.ubuntu.com/community/LDAPClientAuthentication

Post Reply