I was hoping some PAM/LDAP gurus may be able to help me out here. I've recently set up an LDAP directory on Ubuntu Server to hold accounts for both my clients (for use with web-based systems) and staff (who will need to login via SSH.)
The LDAP authentication is working perfectly. However I cannot get the account restrictions working: staff accounts will have IDs between 2001 and 2999 and will be a member of the ssh-users group to allow them to login to servers.
The restrictions in question are in /etc/ldap.conf, and are pam_min_uid, pam_max_uid and pam_groupdn.
pam_groupdn contains the full DN to my ssh-users group. pam_min_uid = 2000 and pam_max_uid = 2999.
Now, I've managed to get them working by adding:
account [success=1 default=ignore] pam_ldap.so
above the pam_unix.so line in /etc/pam.d/common-account. However, the local Unix accounts can then NOT login: the SSH server kills the connection as soon as they try.
I've set the pam_ldap.so module to sufficient in the above file, but then the invalid users get a message saying they cannot login, but it logs them in anyway.
So, how can I set these account restrictions for LDAP users, while still allowing UNIX users to login?
As you can probably guess I'm a newbie to PAM, although I have managed to get the "automatically make home directories" module working 🙂
Many thanks,
Andy
Best Answer
PAM has the ability to restrict access based on an access control list (at least on Ubuntu) which, like kubanskamac's answer (+1) regards the groups as posix groups, whether they're stored in LDAP,
/etc/groupor NIS./etc/security/access.confis the access list file. In my file, I put at the end:This denies everyone except root, sysadmin and in the group ssh-users (which is in LDAP) wherever they login from (the second
ALL).Then in my PAM account file (this IS an account module), I add at the very end:
which tells PAM to use this file. It works a treat :-)