ThorneLabs

Linux Restrict Server Login via LDAP Groups

• Updated January 10, 2019


If you are working with Linux systems and need to restrict server login via LDAP groups, read through the following post.

Either method below should work using RHEL 5 or RHEL 6, but only use PAM LDAP or SSSD, not both.

LDAP Server Setup

Regardless of what method below is used, the LDAP server setup will be the same; simply, create an LDAP group with the specific users you want to allow to authenticate to the client server.

Client Server Setup with PAM LDAP

Prerequisites

It is already assumed the client server can talk to the LDAP server.

Be sure to install the following packages:

yum install nss-pam-ldapd pam_ldap

Single LDAP Group

Append the following to /etc/ldap.conf:

pam_groupdn cn=Group Name,ou=Groups,dc=example,dc=com

Multiple LDAP Groups

Unfortunately, PAM LDAP only allows authenticating against a single LDAP group. If you want to authenticate against multiple LDAP groups jump to the next section.

Client Server Setup with SSSD

Prerequisites

It is already assumed the client server can talk to the LDAP server.

Be sure to install the following package (the nss-pam-ldapd and pam_ldap packages can be removed):

yum install sssd

Single LDAP Group

Open /etc/sssd/sssd.conf and add the following under domain/default:

access_provider = ldap
ldap_access_filter = memberOf=cn=Group Name,ou=Groups,dc=example,dc=com

Multiple LDAP Groups

The following will allow users in LDAP groups System Administrators or Database Users to authenticate to the client server.

Open /etc/sssd/sssd.conf and add the following under domain/default:

access_provider = ldap
ldap_access_filter = (|(memberOf=cn=System Administrators,ou=Groups,dc=example,dc=com)(memberOf=cn=Database Users,ou=Groups,dc=example,dc=com))

The ldap_access_filter accepts standard LDAP filter syntax, so get as complicated as you need to. Be sure to restart the sssd service after any changes:

service sssd restart