I'm sure that some of you have dealt with this same problem. I'm hoping that someone has a better answer than what I'm doing now.
So, you've got some users in an LDAP directory, and one day you say "hey! I can authenticate against this thing for SSH!" And it is good.
Then one day you realize you want only certain users to be able to get into a machine. Say, developers should only be able to get into the dev boxes, not prod. You do some googling around and find pam_groupdn which goes in your LDAP config (/etc/ldap.conf) like so:
pam_groupdn CN=developers,OU=groups,DC=yourcompany
And, again, it is good. You make another group for prod, another for QA, etc. Maybe one day you have a second product dev group, so they get their own group. Whatever.
Then one day you've got a server that both developers and QA need to be able to log in to. Uh… It turns out that pam_groupdn doesn't take multiple values. What do you do? Well, if you're not thinking much, you say "oh, I'll just make a developers-and-QA group!".
pam_groupdn CN=developers-and-QA,OU=groups,DC=yourcompany
That's… not good, but it's ok, right?
Then one day you get another developer, and you realize you need to add them to 15 groups because there's developers-and-QA, product1-and-product2, developers-who-have-access-to-prod and so on. Crap.
There's got to be a better way to do this, right? I emailed the developers of pam_ldap, and they said that unfortunately there's no way to make pam_groupdn take multiple values (without hacking around in the code).
Anyone want to share how they manage groups-of-groups in LDAP without resorting to copy/paste?
Best Answer
If you're using NSS you can set the
AllowGroupsparameter in/etc/ssh/sshd_config. If not, you should look into dynamic lists:Something like that. You also need to include the schema and include the overlay, etc.... So it's a start.