Locking user account on RHEL using PAM LDAP

Question

I have a bit of an edge case here. My institution has a RHEL server where students can log in and do their work. Accounts are held in LDAP and the server uses PAM and LDAP to authenticate. At the end of the academic year I need to lock the student accounts on this server - i.e. preserve them intact, but prevent that user from logging in. I've tried passwd -l and usermod -L, but in both cases the user can still log in.

Is there a way of locking an account that will work with PAM LDAP?

If i record correctly you can lock the account inside ldap (eg using gosa or phpldapadmin). — , Oct 23 '12 at 12:00
Thanks Eric - but I need to lock just this server. Some students will stay on for other courses, so I can't modify their LDAP account. — Austin, Oct 23 '12 at 12:35

score 5 · Accepted Answer · answered Oct 23 '12 at 11:58

5

This can be accomplished by using group ACLs. Adding the following line to your common-auth file:

auth required    pam_access.so

Will get it set up. You can then use a group (it can be LDAP) to set an explicit deny. Invert the meaning to get an explicit allow, which may be a better choice if you're not allowed to ever delete students.

-:ALL EXCEPT root grp-retired-students:ALL EXCEPT LOCAL

answered Oct 23 '12 at 11:58

sysadmin1138

133,124
18
176
300

Thanks, this looks like the answer. Sorry for the basic question, but where does the second line go? – Austin Oct 23 '12 at 12:58
1

Ah, cancel that - it's in /etc/security/access.conf – Austin Oct 23 '12 at 13:29
Perfect! I cut down the second line to: `-:grp-retired-students:ALL` and it's doing the job. Thank you very much. – Austin Oct 23 '12 at 15:02

Locking user account on RHEL using PAM LDAP

1 Answers1