3

I would really like to figure out how I can allow users and/or groups access to certain client machines that are all connected to an OpenLDAP server. I would like to do this whether the user is sitting right in front of the client machine itself or whether he/she is SSH into it. One last thing I would like to be able to manage this all from the OpenLDAP server rather than the client if possible that is.

Thanks, Alex

Alex Lowe
  • 153
  • 2
  • 11

2 Answers2

3

I don't think you'll be able to do this without changing client configs. However, after the client computers all set up, you'll be able to manage this from the LDAP server.

One way to achieve this is:

  1. Write an access_ldap.conf file which contains this, and put it /etc/security:

    +:root:ALL
-:ALL EXCEPT (the_group_that_has_access):ALL

    There is an access.conf file in /etc/security/ but that is usually included in some system rulesets in /etc/pam.d, so it is more difficult to edit that, since you have to ensure that system daemons can "login", thus, you can't lock out everyone but a single group without writing rules for system users. Having a separate file is less hassle.

    Note that the parentheses around the group name indicate that the name is in fact a group name (pam_access.so looks for a group if it can't find the user, and because of this, the parentheses might be called superfluous, but this is the "proper" way to refer to groups).

    Also, the first line grants access to root in any case. You may want to add other users/groups as well, for anyone not listed in this file will be locked out by the second line.

  2. You want login and ssh to favor this new config, but other services should work as they used to be. In order to achieve this, edit the login and sshd files in /etc/pam.d to contain this line:

    account  required     pam_access.so accessfile=/etc/security/access_ldap.conf

This way, only members of the given group will be able to access the computer via ssh or login. The group membership, and thus, access to the computers, can be managed in LDAP.

Lacek
  • 7,233
  • 24
  • 28
  • Can't I also use some attribute that is built into openLDAP? – Alex Lowe May 27 '16 at 11:04
  • Not in the access.conf file. However, the `pam_ldap.so` config (`/etc/pam_ldap.conf`) has a `pam_filter` attribute, which is ANDed with "uid=whatever" when doing LDAP lookups on authentication. If you want this based upon a certain LDAP attribute, then all you need is to change that one file. – Lacek May 27 '16 at 11:12
  • Is that like the netgroup setup for nss? – Alex Lowe May 27 '16 at 11:15
  • Not really. Editing the `pam_ldap.conf` file this way simply adds a filter to user lookups, so users who don't have that specific attribute set to the right value won't even show up for the authentication process, and thus, for authentication purposes, the system will act if the user didn't exist. For actions not needing authentication, the user will exist, so you'll be able to see the user with the `id` command, but won't be able to change it's password. – Lacek May 27 '16 at 11:37
  • I don't really understand this last question. You can control group memberships, and thus, access rights on the OpenLDAP server if you use the approach written in the answer. If you want to use the attribute filtering, then you will be able to control the attribute on the LDAP server. However, in either way, changing _some_ client configs is inevitable. – Lacek May 27 '16 at 11:43
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/40379/discussion-between-lacek-and-alex). – Lacek May 27 '16 at 11:44
  • First question if I wanted to use `pam_filter` from the `pam_ldap.so` where would the configuration file to that be because `/etc/pam_ldap.conf` was empty? Second question what would be an example of how to use the `pam_filter` attribute? – Alex Lowe Jun 15 '16 at 22:22
  • On Red Hat, the config file is called `/etc/ldap.conf`. `pam_filter` can take any LDAP search string as value. This will be ANDed with `(uid=)`. For example, to prevent login for everyone who hasn't got bash as login shell: `!(loginShell=/bin/bash)` – Lacek Jun 17 '16 at 12:49
1

Æ-DIR

That's pretty much the use-case my own solution was designed for, completely based on free software:

Æ-DIR -- Authorized Entities Directory

Mainly systems/services are members of service groups and you define which user groups have login right to the service group.

It's a bit of indirection implemented with OpenLDAP ACLs granting read access to users and groups and especially user attributes needed for login. To avoid a common misunderstanding: You will just maintain LDAP entries to change access rights; the OpenLDAP ACLs are static.

To be honest there's one thing you have to configure in the LDAP client: A system credential, either bind-DN and password or TLS client cert.

It will take some time to understand the concepts and model the data to match your access control requirements. And pretty sure it will not fulfill all your wishes regarding access control.

P.S.: I'd like to hear of people having large setups with host access control based on netgroups because I'd like to find out whether it would be possible to write an auto-migration tool for converting netgroup maps into Æ-DIR's aeSrvGroup.

FreeIPA

FreeIPA has similar goals and they implement so-called HBAC policies and some more to achieve that. From my understanding you would have to use sssd with IPA backend to make use of the full feature set. sssd is the policy enforcement point.

Sorry, I'm not familiar enough with their online docs and thus don't have good documenation links at hand besides the FreeIPA docs overview.

Michael Ströder
  • 974
  • 5
  • 9