This discussion is archived
3 Replies Latest reply: Nov 8, 2012 6:24 AM by Dude! RSS

Understanding LDAP login permissions

tbrinkmann Explorer
Currently Being Moderated
Hi,
could someone help me digging out the question on witch side I have to configure LDAP login permissions ?

First we configured the Oracle Linux to use LDAP as the login method. After that we find out that everybody that has an account in the LDAP system now has access to that server.

So does we have to configure the access groups on the LDAP Server side or on the ldap client side.

Thanks a lot
*T

Edited by: tbrinkmann on Nov 7, 2012 5:47 AM
  • 1. Re: Understanding LDAP login permissions
    Dude! Guru
    Currently Being Moderated
    Normally, all users defined in a central LDAP directory have access to every host which authenticates against that directory. Access groups on the LDAP server are not the best way to pursue. You could allow login based on group membership on the targeted server too. However, Host based Authorization allows you to restrict who can log into a specific machine that uses LDAP for authentication.

    Basically you add an attribute to each LDAP user's record that includes hostnames that they are allowed to log in to. Each client system then checks this field against its own hostname and either allows or denies login based upon the attribute field. Using the pam_check_host_attr directive to enforce host authentication has the effect that users are explicitly informed they are not permitted to access the host with an error message: Access denied for this host.

    You can find many examples seraching for "LDAP host based authentication", e.g.:
    http://www.redbooks.ibm.com/abstracts/redp3863.html
    http://ldapwiki.willeke.com/wiki/PAM%20LDAP%20-%20Host%20Based%20Authorization
    https://help.ubuntu.com/community/LDAPClientAuthentication

    Edited by: Dude on Nov 7, 2012 6:58 AM
  • 2. Re: Understanding LDAP login permissions
    tbrinkmann Explorer
    Currently Being Moderated
    Hey Dude,
    thanks for your replay.

    Our uerid is not person related it is job related. Anyway I don´t like the idea of hundredths of server names configured to all the admin accounts. I would like to prefer the dear of a server group where all users that have access to that server is configured to. Could you be so kind to explain why you think that group permissions are not a good idea.

    Thanks *T                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
  • 3. Re: Understanding LDAP login permissions
    Dude! Guru
    Currently Being Moderated
    Our uerid is not person related it is job related.
    Sorry I have no idea what that means. A username is a username.
    Could you be so kind to explain why you think that group permissions are not a good idea.
    LDAP is not a replacement for users and groups of a host system. LDAP is a directory service, it's like phonebook and not providing any means of security other than restricting what information a user can edit. You can define access rights and groups in LDAP to specify what information a user can modify and also assign users to groups for logical structuring and notification.

    As far as I know to manage host based login restrictions using LDAP access groups you need to create access groups on the LDAP server and assign users accordingly, then modify the AllowGroups setting of /etc/ssh/sshd_config on each host system to check for group membership to allow login, which will not result in a transparent configuration.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points