OpenLDAP – How to Allow Users and Groups Access to Certain Client Machines

authenticationldapopenldappam

I would really like to figure out how I can allow users and/or groups access to certain client machines that are all connected to an OpenLDAP server. I would like to do this whether the user is sitting right in front of the client machine itself or whether he/she is SSH into it. One last thing I would like to be able to manage this all from the OpenLDAP server rather than the client if possible that is.

Thanks,
Alex

Best Answer

I don't think you'll be able to do this without changing client configs. However, after the client computers all set up, you'll be able to manage this from the LDAP server.

One way to achieve this is:

Write an access_ldap.conf file which contains this, and put it /etc/security:
```
+:root:ALL
-:ALL EXCEPT (the_group_that_has_access):ALL
```
There is an access.conf file in /etc/security/ but that is usually included in some system rulesets in /etc/pam.d, so it is more difficult to edit that, since you have to ensure that system daemons can "login", thus, you can't lock out everyone but a single group without writing rules for system users. Having a separate file is less hassle.

Note that the parentheses around the group name indicate that the name is in fact a group name (pam_access.so looks for a group if it can't find the user, and because of this, the parentheses might be called superfluous, but this is the "proper" way to refer to groups).

Also, the first line grants access to root in any case. You may want to add other users/groups as well, for anyone not listed in this file will be locked out by the second line.
You want login and ssh to favor this new config, but other services should work as they used to be. In order to achieve this, edit the login and sshd files in /etc/pam.d to contain this line:
```
account  required     pam_access.so accessfile=/etc/security/access_ldap.conf
```

This way, only members of the given group will be able to access the computer via ssh or login. The group membership, and thus, access to the computers, can be managed in LDAP.

Related Solutions

Ssl – I’m Lost: I’d like to use client-certificates to authenticate users’ access to our web server

The article you mentioned appears to be a rough, but correct, overview for doing exactly what you're looking for. I don't think there are any easier alternatives for this.

You're going to have to rely on functionality built into a web-server, or maybe a custom tool, to solve your problem. I don't believe there's any easier or more user friendly options - all of the tools and/or native options for solving your problem are at roughly the same level of difficulty.

Migrate openldap users and groups

LDAP users will not be present in /etc/passwd. In a Unix system, /etc/passwd is only one of a number of places it can look for directory information, including users and groups. Where it looks is controlled by /etc/nsswitch.conf.

To see if you actually have successfully imported your users in a way Ubuntu understands, use the getent command to retrieve the current list of accounts:

getent passwd

If your LDAP directory has been correctly enabled, you will see a full list of all the users, formatted like a passwd file.

If that doesn't work, I'm afraid I can't help as I'm not familiar with webmin. Ubuntu 10.04 does make it pretty simple to enable LDAP auth from the command line, though, using auth-client-config:

https://wiki.ubuntu.com/AuthClientConfig

Best Answer

Related Solutions

Ssl – I’m Lost: I’d like to use client-certificates to authenticate users’ access to our web server

Migrate openldap users and groups

Related Topic