ldap authorization

Nigel Wade nmw at ion.le.ac.uk
Thu Oct 11 08:59:19 UTC 2007 

Troy Knabe wrote:
> I am using Kerberos for authentication and ldap for authorization.
> But I want to limit the ldap users who can login to the server to a
> specific group.
> 
> 
> 
> Anyone have any perls of wisdom on what needs to be added to the
> ldap.conf???
> 

First, you must have enabled LDAP authentication. If you don't have 
pam_ldap in the PAM stack then PAM won't use LDAP at all.

There are two mechanisms for controlling host access within LDAP. There 
is host based and group based. In host based access you specify which 
hosts a user is allowed to access in the user entry in the directory. In 
group based access you say which users are allowed to access a host in a 
host entry in the directory.

In both cases you have to enable the feature in /etc/ldap.conf for it to 
work. The default is to allow access to all users who authenticate 
against the directory. So, in every host you want to control access to 
(to allow or deny) you have to modify /etc/ldap.conf.

To enable host based access you have to set the "pam_check_host_attr" to 
  "yes" in /etc/ldap.conf. You also have to add a "host" attribute to 
each user's entry in the directory who is allowed to login to that host, 
the default is access denied. The host entry should be the FQDN of the 
host in question. The users' entries must include an objectClass which 
contains the "host" attribute, such as "account".

To enable group based access you define "pam_groupddn" and 
"pam_member_attribute" in /etc/ldap.conf. pam_groupdn is the DN of the 
entry in the directory which contains the list of users who are allowed 
access to this host. pam_member_attribute is the attribute within that 
entry which holds the users DNs. Note, the DN of the users entry in the 
directory, not the userid or any other attribute.

Note that in neither case is access controlled by POSIX groups. It is 
just an ad hoc group of users. If you want to control access by POSIX 
group I don't think you can do it using LDAP.

-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw at ion.le.ac.uk
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555

More information about the redhat-list mailing list