In our company we have a lot of servers (at this moment arount 20, numbers increasing). Not all LDAP users are allowed to get access to the same servers.
My Idea is to make one user group per server and use somehow the IP address of the server to check if the use is allowed to log in.
How can I configure this using pam?
I'm not sure how to bind it to the ip address of the server, but here's a way to bind the server to a group.
I'd recommend using pam_access if your distribution makes it easy (e.g. RHEL / Fedora have authconfig --enablepamaccess). You'd then modify /etc/security/access.conf to have a line similar to:
- : ALL EXCEPT root (groupname) : ALL
root is important because this line will also restrict console login. That's just for starters. You can get more complex, like using multiple lines to describe who can log in from where, see man 5 access.conf, though this may be sufficient for your needs.
You can do something similar for just ssh using AllowGroups in your sshd_config.
