- delegate to ssh
- delegate to pam
- delegate to ldap
ssh
Using ssh is the easier way, I think. It is enought adding to sshd_config:
AllowUsers @my_group
The downside is it applies only to ssh. If you need to rule more services, it is useless.
pam
Delegate to pam can be done with pam_listfile, pam_access, pam_time and maybe others.
Just add a line to /etc/pam.d/my_service:
account required /lib/security/pam_listfile.so onerr=fail item=group sense=allow
file=/etc/pam.d/allowed_groups
and fill allowed group with the name (cn) of the allowed groups, one per line.
The downside is that this method looks harder than others.
ldap
Delegate to ldap took me more time to figure out how to do. The trick is not to trigger pam_unix.
Either remove ldap from /etc/nsswitch.conf passwd, group and shadow lines, or remove pam_unix.so from pam file. For example:
# PAM configuration for the Secure Shell service
auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so
than modify /etc/pam_ldap.conf:
# Group to enforce membership of
pam_groupdn cn=my_group,ou=Groups,dc=my_domain,dc=com
# Group member attribute
pam_member_attribute memberUid
(if my_group is of objectClass posixAccount) or
# Group to enforce membership of
pam_groupdn cn=my_group,ou=Groups,dc=my_domain,dc=com
# Group member attribute
pam_member_attribute memberUid
(if my_group is of objectClass groupOfUniqueNames)
The downside is that you should consider carefully if non-ldap user (root?) should access the service.