Linux – Should I manage Linux Groups in LDAP on a per machine basis

ldaplinuxopenldapuser-management

I am currently running an OpenLDAP Server managing my Linux Users as posixaccount and posixgroup elements like so:

dn: cn=shellinger,ou=groups,dc=company,dc=com
cn: shellinger
gidNumber: 5001
objectClass: posixGroup
objectClass: top

dn: cn=shellinger,ou=people,dc=company,dc=com
cn: Simon Hellinger
uid: shellinger
uidNumber: 5001
gidNumber: 5001
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
...

Right now, aside of primary groups, Linux Group membership is managed locally on each machine. This works but I think defeats the purpose of centralized user management.

What I think I want is to assign my users different sets of groups depending on what machine they log on. Generally my users have useful business on all my machines, so I believe log-in restrictions (based on the host or a certain group) are too coarse grained for my use case. I want to restrict what they can do on each machine, not if they can log in at all; and in my mindset that translates to what Linux groups they are in.

Also, these groups (and as such, permissions) can be vastly different for each user on each machine, a person with superuser permissions on one machine can be a regular user on the next.

In my layman terms this sounds like role-based group-assignment, but after throwing my whole LDAP vocabulary at Google and serverfault I still can't seem to get my head around this.

Summing it up, the questions are: Is my usecase valid? Am I going about this the right way? Should I manage Linux groups in LDAP at all?

Best Answer

In general, group membership should be managed centrally, just like users.

However, when you talk about users needing to be superuser permissions, it makes me think that you're managing wheel for su on each machine separately. This is acceptable, but a bit tedious, especially if you have multiple servers that should all behave the same way.

You could change the group used by pam_wheel or have multiple pam_wheel entries (with different options each time in /etc/pam.d/su, but a better alternative is to use sudo and integrate that with your LDAP. Sudo will give you finer-grain control per server, and LDAP will distribute it appropriately.

Some distributions separate sudo and sudo-ldap.

Related Topic