Linux Restrict Server Login via LDAP Groups

• Updated January 10, 2019


If you are working with Linux systems and need to restrict server login via LDAP groups, read through the following post.

Either method below should work using RHEL 5 or RHEL 6, but only use PAM LDAP or SSSD, not both.

LDAP Server Setup

Regardless of what method below is used, the LDAP server setup will be the same; simply, create an LDAP group with the specific users you want to allow to authenticate to the client server.

Client Server Setup with PAM LDAP

Prerequisites

It is already assumed the client server can talk to the LDAP server.

Be sure to install the following packages:

yum install nss-pam-ldapd pam_ldap

Single LDAP Group

Append the following to /etc/ldap.conf:

pam_groupdn cn=Group Name,ou=Groups,dc=example,dc=com

Multiple LDAP Groups

Unfortunately, PAM LDAP only allows authenticating against a single LDAP group. If you want to authenticate against multiple LDAP groups jump to the next section.

Client Server Setup with SSSD

Prerequisites

It is already assumed the client server can talk to the LDAP server.

Be sure to install the following package (the nss-pam-ldapd and pam_ldap packages can be removed):

yum install sssd

Single LDAP Group

Open /etc/sssd/sssd.conf and add the following under domain/default:

access_provider = ldap
ldap_access_filter = memberOf=cn=Group Name,ou=Groups,dc=example,dc=com

Multiple LDAP Groups

The following will allow users in LDAP groups System Administrators or Database Users to authenticate to the client server.

Open /etc/sssd/sssd.conf and add the following under domain/default:

access_provider = ldap
ldap_access_filter = (|(memberOf=cn=System Administrators,ou=Groups,dc=example,dc=com)(memberOf=cn=Database Users,ou=Groups,dc=example,dc=com))

The ldap_access_filter accepts standard LDAP filter syntax, so get as complicated as you need to. Be sure to restart the sssd service after any changes:

service sssd restart

If you found this post useful, you can help support this site and get something for yourself by signing up for any of the services listed below through the provided links.

The following links are part of affiliate programs, and I will receive a referral payment from any of the services you sign-up for.

  • Get Faster Shipping: Perhaps you're about to order some stuff on Amazon but want to get more value out of the money you would normally pay for shipping. Sign-up for a free, 30-day trial of Amazon Prime to get free two-day shipping, access to thousands of movies and TV shows, and more.
  • Start Investing Now: Are you looking to start investing some of your disposable saved income? Get started by opening an account with Webull, where upon sign-up and opening a brokerage account with an initial deposit of at least $100 you will receive 1 stock valued (subject to change based on normal market movement) between $8 and $1600.

Thanks for reading and take care.