This content has been marked as final. Show 3 replies
Normally, all users defined in a central LDAP directory have access to every host which authenticates against that directory. Access groups on the LDAP server are not the best way to pursue. You could allow login based on group membership on the targeted server too. However, Host based Authorization allows you to restrict who can log into a specific machine that uses LDAP for authentication.
Basically you add an attribute to each LDAP user's record that includes hostnames that they are allowed to log in to. Each client system then checks this field against its own hostname and either allows or denies login based upon the attribute field. Using the pam_check_host_attr directive to enforce host authentication has the effect that users are explicitly informed they are not permitted to access the host with an error message: Access denied for this host.
You can find many examples seraching for "LDAP host based authentication", e.g.:
Edited by: Dude on Nov 7, 2012 6:58 AM
thanks for your replay.
Our uerid is not person related it is job related. Anyway I don´t like the idea of hundredths of server names configured to all the admin accounts. I would like to prefer the dear of a server group where all users that have access to that server is configured to. Could you be so kind to explain why you think that group permissions are not a good idea.
Our uerid is not person related it is job related.Sorry I have no idea what that means. A username is a username.
Could you be so kind to explain why you think that group permissions are not a good idea.LDAP is not a replacement for users and groups of a host system. LDAP is a directory service, it's like phonebook and not providing any means of security other than restricting what information a user can edit. You can define access rights and groups in LDAP to specify what information a user can modify and also assign users to groups for logical structuring and notification.
As far as I know to manage host based login restrictions using LDAP access groups you need to create access groups on the LDAP server and assign users accordingly, then modify the AllowGroups setting of /etc/ssh/sshd_config on each host system to check for group membership to allow login, which will not result in a transparent configuration.