At the moment my PAM is integrated through LDAP with a custom authentication stack in the /etc/pam.d/systhem-auth
:
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.netgroup.allowed
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass retry=3
password sufficient pam_unix.so sha512 nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so skel=/etc/skel umask=077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
As you can see the authorization is made by a lookup on the /etc/login.netgroup.allow
file, which contains a list of LDAP groups. So, an user can login or not on this server if he belongs at least to one or more groups.
This check is made statically. I mean, the login.netgroup.allow file is immutable and it contains only a list of groups. Is there a way or any suggestion to made this check dynamically through an LDAP check? I mean, suppose I have an LDAP branch which contains an entry with the hostname of my server and a multivalue attribute containing the list of the groups associated to this server. Is it possible to made the check not to a file but directly on LDAP?
INFO:
OS: Red Hat 6.4
LDAP Client: nslcd
EDIT:
At the moment I've made it work with a custom script:
This is the system-auth
of my hostname1
server:
auth sufficient pam_unix.so nullok try_first_pass
auth required pam_exec.so /usr/sbin/netgroupCheck
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.netgroup.allowed
I'm checking the allowed group directly on LDAP with the /usr/sbin/netgroupCheck
script:
#!/usr/bin/env bash
#Allowed Netgroup File
file=/etc/login.netgroup.allowed
#LDAP Client
uri=$(cat /etc/nslcd.conf | grep uri | grep "^[^#;]" | sed 's/[^ ]* //')
oud_user=$( cat /etc/nslcd.conf | grep binddn | grep "^[^#;]" | sed 's/[^ ]* //')
oud_password=$( cat /etc/nslcd.conf | grep bindpw | grep "^[^#;]" | sed 's/[^ ]* //')
hostname=$(hostname)
#Refresh Allowed Netgroup File from LDAP
ldapsearch -LLL -D $oud_user -H $uri -w $oud_password -b "dc=base,dc=it" "(cn=$hostname)" Allowednetgroup | grep -i Allowednetgroup | sed 's/[^ ]* //' > $file
And this is the entry on LDAP:
dc: cn=hostname1,ou=servers,dc=base,dc=it
objectClass: host
objectClass: ipHost
objectClass: top
cn: hostname1
ipHostNumber: 10.10.10.10
Allowednetgroup: GROUP1
Allowednetgroup: GROUP2
Allowednetgroup: GROUP3
In this way I can edit the allowednetgroup directly on LDAP without editing them on the server.
Best Answer
Sure, this is done via
filter passwd
directive of the nslcd.conf file, something like this:Since
filter passwd
references the LDAP filter, it can be as complicated as you wish, including multiple group constraints inside a logical expression.