Monday, 24 November 2008

Restricted access based on ldap groups

It looks quite baroque to me as there are at least three ways of doing:

  • delegate to ssh

  • delegate to pam

  • delegate to ldap

ssh


Using ssh is the easier way, I think. It is enought adding to sshd_config:

AllowUsers @my_group

The downside is it applies only to ssh. If you need to rule more services, it is useless.

pam


Delegate to pam can be done with pam_listfile, pam_access, pam_time and maybe others.
Just add a line to /etc/pam.d/my_service:

account required /lib/security/pam_listfile.so onerr=fail item=group sense=allow
file=/etc/pam.d/allowed_groups

and fill allowed group with the name (cn) of the allowed groups, one per line.
The downside is that this method looks harder than others.

ldap


Delegate to ldap took me more time to figure out how to do. The trick is not to trigger pam_unix.
Either remove ldap from /etc/nsswitch.conf passwd, group and shadow lines, or remove pam_unix.so from pam file. For example:

# PAM configuration for the Secure Shell service
auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so

than modify /etc/pam_ldap.conf:

# Group to enforce membership of
pam_groupdn cn=my_group,ou=Groups,dc=my_domain,dc=com
# Group member attribute
pam_member_attribute memberUid

(if my_group is of objectClass posixAccount) or

# Group to enforce membership of
pam_groupdn cn=my_group,ou=Groups,dc=my_domain,dc=com
# Group member attribute
pam_member_attribute memberUid

(if my_group is of objectClass groupOfUniqueNames)

The downside is that you should consider carefully if non-ldap user (root?) should access the service.

No comments: