Linux – Ubuntu 10.04: Restrict LDAP Access by Group (OpenDirectory on Mac OS X Server)

authenticationlinuxmac-osx-serveropendirectoryubuntu-10.04

In a nutshell, I want to authenticate users of a Ubuntu 10.04 Server against a Mac OS X Server's OpenDirectory LDAP but ONLY allow them access if they are a member of a group on the LDAP side.

Using some guides and previous experience, I am able to get it to get the authentication part working – that part's simple:

$ sudo apt-get install libpam-ldap libnss-ldap nss-updatedb

and enter the LDAP URI, search base, etc as prompted.

At that point, I'm able to see the users / groups on the OpenDirectory LDAP server

# getent passwd

# getent group

And I can even ssh to the box as ANY of the users

The problem is — I can't figure out how to restrict access to only a certain group of users (e.g. testssh)

Using this guide, I made the following changes to the /etc/ldap.conf file:

pam_groupdn cn=testssh,cn=groups,dc=myserver,dc=mycompany,dc=net

pam_member_attribute uniquemember

Hopefully someone has solved this issue and I am just missing something obvious!

Best Answer

Take a look at /etc/security/access.conf. Changes to this file will affect anything that uses pam and the pam_access module, and permits you to restrict login by group membership.

You can check group membership with 'getent group <group name>'

Related Solutions

Ldap – FreeBSD LDAP authentication, pam_ldap, can’t bind

Here's how LDAP authentication works, in a nutshell:

You SSH in as joeblow. Your client gives that name to the server, along with your password (that you enter).
The server starts walking the PAM list saying "does anyone vouch for this guy?", looking for either an OK or a NO. (PAM modules can deny as well as allow). In your case:
1. It checks pam_opie.so. You've said this is sufficient, so it will just move on if it isn't found. I imagine it's not in this case.
2. It checks pam_opieaccess.so. In this case, it's required, so pam_opieaccess.so has to say "yeah, he's ok". I imagine this module is just checking a list of accounts that are marked "has to auth via OPIE", which joeblow isn't on. It says OK.
3. /usr/local/lib/pam_ldap.so gets a turn. This is the part you care about.
  1. First it binds to the server with your binddn and bindpw, to ask "hey, I've got this joeblow here, what's his real name?" The server answers uid=joeblow,ou=Users,dc=corp,dc=example,dc=org.
  2. pam_ldap.so disconnects, and tries to bind as uid=joeblow,ou=Users,dc=corp,dc=example,dc=org with the password you gave. If it can bind, you're in. If not, not.

So the error you're getting means that step 2.3.2 there is failing, probably because the password is incorrect. It's possible that there is some other problem with joeblow binding to the server, check the LDAP server logs for more details.

Migrate openldap users and groups

LDAP users will not be present in /etc/passwd. In a Unix system, /etc/passwd is only one of a number of places it can look for directory information, including users and groups. Where it looks is controlled by /etc/nsswitch.conf.

To see if you actually have successfully imported your users in a way Ubuntu understands, use the getent command to retrieve the current list of accounts:

getent passwd

If your LDAP directory has been correctly enabled, you will see a full list of all the users, formatted like a passwd file.

If that doesn't work, I'm afraid I can't help as I'm not familiar with webmin. Ubuntu 10.04 does make it pretty simple to enable LDAP auth from the command line, though, using auth-client-config:

https://wiki.ubuntu.com/AuthClientConfig

Best Answer

Related Solutions

Ldap – FreeBSD LDAP authentication, pam_ldap, can’t bind

Migrate openldap users and groups

Related Topic