2

At the moment my PAM is integrated through LDAP with a custom authentication stack in the /etc/pam.d/systhem-auth:

auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.netgroup.allowed
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

As you can see the authorization is made by a lookup on the /etc/login.netgroup.allow file, which contains a list of LDAP groups. So, an user can login or not on this server if he belongs at least to one or more groups.

This check is made statically. I mean, the login.netgroup.allow file is immutable and it contains only a list of groups. Is there a way or any suggestion to made this check dynamically through an LDAP check? I mean, suppose I have an LDAP branch which contains an entry with the hostname of my server and a multivalue attribute containing the list of the groups associated to this server. Is it possible to made the check not to a file but directly on LDAP?

INFO: OS: Red Hat 6.4 LDAP Client: nslcd

EDIT: At the moment I've made it work with a custom script:

This is the system-auth of my hostname1 server:

auth        sufficient    pam_unix.so nullok try_first_pass
auth            required        pam_exec.so /usr/sbin/netgroupCheck
auth            required        pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.netgroup.allowed

I'm checking the allowed group directly on LDAP with the /usr/sbin/netgroupCheck script:

#!/usr/bin/env bash

#Allowed Netgroup File
file=/etc/login.netgroup.allowed

#LDAP Client
uri=$(cat /etc/nslcd.conf | grep uri | grep "^[^#;]" | sed 's/[^ ]* //')
oud_user=$( cat /etc/nslcd.conf | grep binddn | grep "^[^#;]" | sed 's/[^ ]* //')
oud_password=$( cat /etc/nslcd.conf | grep bindpw | grep "^[^#;]" | sed 's/[^ ]* //')
hostname=$(hostname)

#Refresh Allowed Netgroup File from LDAP
ldapsearch -LLL -D $oud_user -H $uri -w $oud_password -b "dc=base,dc=it" "(cn=$hostname)" Allowednetgroup | grep -i Allowednetgroup | sed 's/[^ ]* //' > $file

And this is the entry on LDAP:

dc: cn=hostname1,ou=servers,dc=base,dc=it
objectClass: host
objectClass: ipHost
objectClass: top
cn: hostname1
ipHostNumber: 10.10.10.10
Allowednetgroup: GROUP1
Allowednetgroup: GROUP2
Allowednetgroup: GROUP3

In this way I can edit the allowednetgroup directly on LDAP without editing them on the server.

LucaP
  • 71
  • 5
  • Hi LucasP, it would be useful to know: (1) Which distribution and version are you using and (2) versions of openldap/pam/etc. – Leo Gallego Sep 24 '19 at 22:49
  • I found that it was effectively solved for me with SSSD integrated into my LDAP server (AD) when I managed membership of a group from AD, where the sssd.conf file was set as follows: simple_allow_groups = itgroup – rupert160 Sep 25 '19 at 04:50

2 Answers2

2

Sure, this is done via filter passwd directive of the nslcd.conf file, something like this:

 filter passwd (memberOf=cn=myLoginGroup,ou=groups,dc=foo,dc=bar)

Since filter passwd references the LDAP filter, it can be as complicated as you wish, including multiple group constraints inside a logical expression.

drookie
  • 8,625
  • 1
  • 19
  • 29
  • I'm not sure this could be useful, because my goal is to store the allowed groups on LDAP and not locally. At the moment my /etc/login.netgroup.allowed contains two groups, if I set a filter like (|(memberOf=cn=GROUP1,ou=groups,dc=foo,dc=bar)(memberOf=cn=GROUP2,ou=groups,dc=foo,dc=bar)) it would be the same as the local file. What the server only knows is for example its hostname; I should retrieve the allowed groups querying by the hostname of the server. – LucaP Sep 09 '19 at 12:57
  • Hi @drookie do you have any idea on what I can change here? – LucaP Sep 11 '19 at 09:51
0

Issue

If I'm understanding you correctly, you are using a file to check the authentication, before you reach the LDAP plugin. And this file is connecting to an LDAP, that checks (at least) 2 groups, and allows the users belonging to (either of) those two groups to authenticate.

If this is the case, you could simply delegate this to pam_ldap, and configure it to filter the authentication at that stage instead.

In any case, if you are running LDAP, you have dynamic groups already. What you need is to feed those groups to the clients. I might be missing something, but here is a couple of options I can think of:

PAM LDAP

Single group

You might pull this off with PAM_LDAP's configuration option pam_groupdn if you have the possibility of creating a new group, a merger between GROUP1 and GROUP2, and adding every user of GROUP1 and GROUP2 to that group, for ex. let's call it GROUP3.

You then should add the following line to /etc/ldap.conf:

pam_groupdn cn=GROUP3,ou=groups,dc=foo,dc=bar

Restart services as needed.

As far as I know, pam_groupdn doesn't allow for more than one group. If you can't merge GROUP1 and GROUP2 into a third GROUP3 one, your other option would be to use SSSD.

Multiple groups

You need to have SSSD installed. I don't know which distribution you are using, but usually the package has the same name sssd.

Add the following line to /etc/sssd/sssd.conf below the [domain] section:

access_provider = ldap
ldap_access_filter = (|(memberOf=cn=GROUP1,ou=groups,dc=foo,dc=bar)(memberOf=cn=GROUP2,ou=groups,dc=foo,dc=bar))

Restart services as needed.

Leo Gallego
  • 1,893
  • 9
  • 17
  • No, it's the opposite. I would like to have this info of allowed groups stored on LDAP not locally in a file. I was searching for some method to (for example) query the LDAP by the server name and retrieve the two (or more) allowed group – LucaP Sep 25 '19 at 08:46
  • Hi LucaP, I'm sorry but it's not quite clear to me what you are trying to accomplish. Could you edit your question with a couple of examples and details on the environment (distro/versions/etc). – Leo Gallego Sep 25 '19 at 15:08
  • I've edited with a custom solution, I hope it make sense now, I just want to understand if there are any other solutions which does not require a custom script – LucaP Sep 25 '19 at 15:26