Friday, February 1, 2013
It is possible to restrict Linux server login via LDAP by using the hostObject objectClass and host attribute.
Each LDAP user that you want to restrict login access to should have the hostObject objectClass so the host attribute becomes available to that LDAP user. Each LDAP user will have as many host attributes as there are servers that user needs access to.
Each Linux server that is being restricted access to also needs to have the pam_check_host_attr parameter set to yes in the /etc/pam_ldap.conf file.
Be aware, this solution does not scale well. If a new client sever comes online it will have to be added to every LDAP user needing access. This can of course be scripted, but a more scaleable solution is to use LDAP groups.
Nevertheless, read on for setup instructions.
In our example, jbond will be the LDAP user we want to restrict access for. jbond will need access to only client servers mi5.example.com and mi6.example.com.
It is assumed the client server can already talk to the LDAP server.
The only necessary change on each client server is to add the following to /etc/pam_ldap.conf:
At this point, local users can login normally, but LDAP users must have objectClass: hostObject and host: mi5.example.com and/or host: mi6.example.com in their LDAP user entry to gain access to either of those servers.
Log into the LDAP server and issue the following command:
ldapmodify -x -D "cn=Directory Manager" -W -S errors.txt -c
After successfully authenticating as the Directory Manager user, you will be on a blank line where the command line is waiting for input. To add the hostObject objectClass and the host attributes to LDAP user jbond, copy and paste the following into the command line:
dn: uid=jbond,ou=People,dc=example,dc=com changetype: modify add: objectClass objectClass: hostObject - add: host host: mi5.example.com host: mi6.example.com
If you make a mistake type Ctrl + C to exit out of the command and no modifications will be done.
To apply the changes, type Ctrl + D to commit the changes and exit or type Enter twice. A successful modification will show modifying entry “uid=jbond,ou=People,dc=example,dc=com”.
If you need to remove a host attribute from an LDAP user, because that LDAP user is no longer allowed to access that client server, then follow the same process as the section above but copy and paste the following into the command line:
dn: uid=jbond,ou=People,dc=example,dc=com changetype: modify delete: host host: mi5.example.com
If you want to remove several host attributes at once, add another host attribute line to the above content such as host: mi6.example.com.
If you no longer want any host attributes or the hostObject objectClass applied to an LDAP user, then follow the same process as the section above but copy and paste the following into the command line:
dn: uid=jbond,ou=People,dc=example,dc=com changetype: modify delete: host - delete: objectClass objectClass: hostObject
All of the above modifications can also be done by placing the respective content in a file and running:
ldapmodify -x -D "cn=Directory Manager" -W -S errors.txt -c -f modifications.ldif
To verify any changes above were actually applied, perform an ldapsearch on the LDAP user from any client able to talk to the LDAP server:
ldapsearch -x "uid=jbond"