Linux Restrict Server Login via LDAP Groups

Monday, January 28, 2013

Either method below should work using RHEL 5 or RHEL 6, but only use PAM LDAP or SSSD, not both.

LDAP Server Setup

Regardless of what method below is used, the LDAP server setup will be the same; simply, create an LDAP group with the specific users you want to allow to authenticate to the client server.

Client Server Setup with PAM LDAP

Prerequisites

It is already assumed the client server can talk to the LDAP server.

Be sure to install the following packages:

yum install nss-pam-ldapd pam_ldap

Single LDAP Group

Append the following to /etc/ldap.conf:

pam_groupdn cn=Group Name,ou=Groups,dc=example,dc=com

Multiple LDAP Groups

Unfortunately, PAM LDAP only allows authenticating against a single LDAP group. If you want to authenticate against multiple LDAP groups jump to the next section.

Client Server Setup with SSSD

Prerequisites

It is already assumed the client server can talk to the LDAP server.

Be sure to install the following package (the nss-pam-ldapd and pam_ldap packages can be removed):

yum install sssd

Single LDAP Group

Under domain/default in /etc/sssd/sssd.conf add:

access_provider = ldap
ldap_access_filter = memberOf=cn=Group Name,ou=Groups,dc=example,dc=com

Multiple LDAP Groups

The following will allow users in LDAP groups System Administrators OR Database to authenticate to the client server.

Under domain/default in /etc/sssd/sssd.conf add:

access_provider = ldap
ldap_access_filter = (|(memberOf=cn=System Adminstrators,ou=Groups,dc=example,dc=com)(memberOf=cn=Database Users,ou=Groups,dc=example,dc=com))

The ldap_access_filter accepts standard LDAP filter syntax, so get as crazy as you want. Be sure to restart the sssd service after any changes:

service sssd restart


comments powered by Disqus