Linux Restrict Server Login via LDAP hostObject objectClass and host Attribute

Friday, February 1, 2013

It is possible to restrict Linux server login via LDAP by using the hostObject objectClass and host attribute.

Each LDAP user that you want to restrict login access to should have the hostObject objectClass so the host attribute becomes available to that LDAP user. Each LDAP user will have as many host attributes as there are servers that user needs access to.

Each Linux server that is being restricted access to also needs to have the pam_check_host_attr parameter set to yes in the /etc/pam_ldap.conf file.

Be aware, this solution does not scale well. If a new client sever comes online it will have to be added to every LDAP user needing access. This can of course be scripted, but a more scaleable solution is to use LDAP groups.

Nevertheless, read on for setup instructions.

In our example, jbond will be the LDAP user we want to restrict access for. jbond will need access to only client servers mi5.example.com and mi6.example.com.

Client Server Setup

It is assumed the client server can already talk to the LDAP server.

The only necessary change on each client server is to add the following to /etc/pam_ldap.conf:

pam_check_host_attr yes

At this point, local users can login normally, but LDAP users must have objectClass: hostObject and host: mi5.example.com and/or host: mi6.example.com in their LDAP user entry to gain access to either of those servers.

LDAP Server Setup

Add hostObject objectClass and host Attribute(s) to LDAP User

Log into the LDAP server and issue the following command:

ldapmodify -x -D "cn=Directory Manager" -W -S errors.txt -c

After successfully authenticating as the Directory Manager user, you will be on a blank line where the command line is waiting for input. To add the hostObject objectClass and the host attributes to LDAP user jbond, copy and paste the following into the command line:

dn: uid=jbond,ou=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: hostObject
-
add: host
host: mi5.example.com
host: mi6.example.com

If you make a mistake type Ctrl + C to exit out of the command and no modifications will be done.

To apply the changes, type Ctrl + D to commit the changes and exit or type Enter twice. A successful modification will show modifying entry “uid=jbond,ou=People,dc=example,dc=com”.

Remove host Attribute(s) from LDAP User

If you need to remove a host attribute from an LDAP user, because that LDAP user is no longer allowed to access that client server, then follow the same process as the section above but copy and paste the following into the command line:

dn: uid=jbond,ou=People,dc=example,dc=com
changetype: modify
delete: host
host: mi5.example.com

If you want to remove several host attributes at once, add another host attribute line to the above content such as host: mi6.example.com.

Remove hostObject objectClass from LDAP User

If you no longer want any host attributes or the hostObject objectClass applied to an LDAP user, then follow the same process as the section above but copy and paste the following into the command line:

dn: uid=jbond,ou=People,dc=example,dc=com
changetype: modify
delete: host
-
delete: objectClass
objectClass: hostObject

ldapmodify via a File

All of the above modifications can also be done by placing the respective content in a file and running:

ldapmodify -x -D "cn=Directory Manager" -W -S errors.txt -c -f modifications.ldif

View the LDAP User

To verify any changes above were actually applied, perform an ldapsearch on the LDAP user from any client able to talk to the LDAP server:

ldapsearch -x "uid=jbond"


comments powered by Disqus