It is possible to restrict Linux server login via LDAP by using the hostObject objectClass and host attribute.
Each LDAP user that you want to restrict login access to should have the hostObject objectClass so the host attribute becomes available to that LDAP user. Each LDAP user will have as many host attributes as there are servers that user needs access to.
Each Linux server that is being restricted access to also needs to have the pam_check_host_attr parameter set to yes in the /etc/pam_ldap.conf file.
Take note, this solution does not scale well. If a new client sever comes online it will have to be added to every LDAP user needing access. This can of course be scripted, but a more scalable solution is to use LDAP groups.
Nevertheless, continue reading for setup instructions.
In this example, jbond will be the LDAP user we want to restrict access for. jbond will only need access to client servers mi5.example.com and mi6.example.com.
Client Server Setup
It is assumed the client server can already talk to the LDAP server.
The only necessary change on each client server is to add the following to /etc/pam_ldap.conf:
pam_check_host_attr yes
At this point, local users can login normally, but LDAP users must have objectClass: hostObject and host: mi5.example.com and/or host: mi6.example.com in their LDAP user entry to gain access to either of those servers.
LDAP Server Setup
Add hostObject objectClass and host Attribute(s) to LDAP User
Log in to the LDAP server and issue the following command:
ldapmodify -x -D "cn=Directory Manager" -W -S errors.txt -c
After successfully authenticating as the Directory Manager user, you will be on a blank line where the command line is waiting for input. To add the hostObject objectClass and the host attributes to LDAP user jbond, copy and paste the following into the command line:
dn: uid=jbond,ou=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: hostObject
-
add: host
host: mi5.example.com
host: mi6.example.com
If you make a mistake type Ctrl + C to exit out of the command and no modifications will be done.
To apply the changes, type Ctrl + D to commit the changes and exit or type Enter twice. A successful modification will show modifying entry “uid=jbond,ou=People,dc=example,dc=com”.
Remove host Attribute(s) from LDAP User
If you need to remove a host attribute from an LDAP user, because that LDAP user is no longer allowed to access that client server, then follow the same process as the section above but copy and paste the following into the command line:
dn: uid=jbond,ou=People,dc=example,dc=com
changetype: modify
delete: host
host: mi5.example.com
If you want to remove several host attributes at once, add another host attribute line to the above content such as host: mi6.example.com.
Remove hostObject objectClass from LDAP User
If you no longer want any host attributes or the hostObject objectClass applied to an LDAP user, then follow the same process as the section above but copy and paste the following into the command line:
dn: uid=jbond,ou=People,dc=example,dc=com
changetype: modify
delete: host
-
delete: objectClass
objectClass: hostObject
ldapmodify via a File
All of the above modifications can also be done by placing the respective content in a file and running:
ldapmodify -x -D "cn=Directory Manager" -W -S errors.txt -c -f modifications.ldif
View the LDAP User
To verify any changes above were actually applied, perform an ldapsearch on the LDAP user from any client able to talk to the LDAP server:
ldapsearch -x "uid=jbond"