1

In a nutshell, I want to authenticate users of a Ubuntu 10.04 Server against a Mac OS X Server's OpenDirectory LDAP but ONLY allow them access if they are a member of a group on the LDAP side.

Using some guides and previous experience, I am able to get it to get the authentication part working - that part's simple:

$ sudo apt-get install libpam-ldap libnss-ldap nss-updatedb

and enter the LDAP URI, search base, etc as prompted.

At that point, I'm able to see the users / groups on the OpenDirectory LDAP server

# getent passwd

# getent group

And I can even ssh to the box as ANY of the users

The problem is -- I can't figure out how to restrict access to only a certain group of users (e.g. testssh)

Using this guide, I made the following changes to the /etc/ldap.conf file:

pam_groupdn cn=testssh,cn=groups,dc=myserver,dc=mycompany,dc=net

pam_member_attribute uniquemember

Hopefully someone has solved this issue and I am just missing something obvious!

Community
  • 1
mikehapner
  • 1,175
  • 10
  • 9

2 Answers2

2

Take a look at /etc/security/access.conf. Changes to this file will affect anything that uses pam and the pam_access module, and permits you to restrict login by group membership.

You can check group membership with 'getent group <group name>'

Slartibartfast
  • 3,295
  • 18
  • 16
  • Thank you VERY much -- after I uncommented a line in /etc/pam.d/sshd - account required pam_access.so -- this does let me restrict by name and I see how it's supposed to work with @netgroup -- but something must be wrong with the rest of the pam config -- because even though 'getent group' shows the user as a member of the ldap group (or even local group) they can't login, unless explicitly allowed by username. -- I'll test some more! – mikehapner Aug 01 '10 at 01:30
0

I've no Mac but this is how I do and I think you can do the same.

put on your sshd_config on the mac:

AllowGroups testssh

it will allow only the users in testssh LDAP group

laurent
  • 2,055
  • 16
  • 14