I would really like to figure out how I can allow users and/or groups access to certain client machines that are all connected to an OpenLDAP server. I would like to do this whether the user is sitting right in front of the client machine itself or whether he/she is SSH into it. One last thing I would like to be able to manage this all from the OpenLDAP server rather than the client if possible that is.
Thanks,
Alex
Best Answer
I don't think you'll be able to do this without changing client configs. However, after the client computers all set up, you'll be able to manage this from the LDAP server.
One way to achieve this is:
Write an
access_ldap.conf
file which contains this, and put it/etc/security
:There is an
access.conf
file in/etc/security/
but that is usually included in some system rulesets in/etc/pam.d
, so it is more difficult to edit that, since you have to ensure that system daemons can "login", thus, you can't lock out everyone but a single group without writing rules for system users. Having a separate file is less hassle.Note that the parentheses around the group name indicate that the name is in fact a group name (
pam_access.so
looks for a group if it can't find the user, and because of this, the parentheses might be called superfluous, but this is the "proper" way to refer to groups).Also, the first line grants access to root in any case. You may want to add other users/groups as well, for anyone not listed in this file will be locked out by the second line.
You want
login
andssh
to favor this new config, but other services should work as they used to be. In order to achieve this, edit thelogin
andsshd
files in/etc/pam.d
to contain this line:This way, only members of the given group will be able to access the computer via ssh or login. The group membership, and thus, access to the computers, can be managed in LDAP.