3 Replies Latest reply: Nov 8, 2012 8:24 AM by Catch_22 RSS

    Understanding LDAP login permissions

    tbrinkmann
      Hi,
      could someone help me digging out the question on witch side I have to configure LDAP login permissions ?

      First we configured the Oracle Linux to use LDAP as the login method. After that we find out that everybody that has an account in the LDAP system now has access to that server.

      So does we have to configure the access groups on the LDAP Server side or on the ldap client side.

      Thanks a lot
      *T

      Edited by: tbrinkmann on Nov 7, 2012 5:47 AM
        • 1. Re: Understanding LDAP login permissions
          Catch_22
          Normally, all users defined in a central LDAP directory have access to every host which authenticates against that directory. Access groups on the LDAP server are not the best way to pursue. You could allow login based on group membership on the targeted server too. However, Host based Authorization allows you to restrict who can log into a specific machine that uses LDAP for authentication.

          Basically you add an attribute to each LDAP user's record that includes hostnames that they are allowed to log in to. Each client system then checks this field against its own hostname and either allows or denies login based upon the attribute field. Using the pam_check_host_attr directive to enforce host authentication has the effect that users are explicitly informed they are not permitted to access the host with an error message: Access denied for this host.

          You can find many examples seraching for "LDAP host based authentication", e.g.:
          http://www.redbooks.ibm.com/abstracts/redp3863.html
          http://ldapwiki.willeke.com/wiki/PAM%20LDAP%20-%20Host%20Based%20Authorization
          https://help.ubuntu.com/community/LDAPClientAuthentication

          Edited by: Dude on Nov 7, 2012 6:58 AM
          • 2. Re: Understanding LDAP login permissions
            tbrinkmann
            Hey Dude,
            thanks for your replay.

            Our uerid is not person related it is job related. Anyway I don´t like the idea of hundredths of server names configured to all the admin accounts. I would like to prefer the dear of a server group where all users that have access to that server is configured to. Could you be so kind to explain why you think that group permissions are not a good idea.

            Thanks *T                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
            • 3. Re: Understanding LDAP login permissions
              Catch_22
              Our uerid is not person related it is job related.
              Sorry I have no idea what that means. A username is a username.
              Could you be so kind to explain why you think that group permissions are not a good idea.
              LDAP is not a replacement for users and groups of a host system. LDAP is a directory service, it's like phonebook and not providing any means of security other than restricting what information a user can edit. You can define access rights and groups in LDAP to specify what information a user can modify and also assign users to groups for logical structuring and notification.

              As far as I know to manage host based login restrictions using LDAP access groups you need to create access groups on the LDAP server and assign users accordingly, then modify the AllowGroups setting of /etc/ssh/sshd_config on each host system to check for group membership to allow login, which will not result in a transparent configuration.