[Date Prev][Date Next] [Chronological] [Thread] [Top]

Restrict Access to Hosts



Hello,

I manage linux users in an LDAP directory and want to restrict the access of
certain users to certain hosts.
I have setup /etc/pam.d/sshd on the host to which the user accesses as follows:

#%PAM-1.0
auth     required       /lib/security/pam_ldap.so
auth     required       /lib/security/pam_unix.so       # set_secrpc
auth     required       /lib/security/pam_nologin.so
auth     required       /lib/security/pam_env.so
auth     required       /lib/security/pam_mail.so
account  sufficient     /lib/security/pam_ldap.so
account  required       /lib/security/pam_unix.so
password required       /lib/security/pam_pwcheck.so
password required       /lib/security/pam_unix.so       use_first_pass
use_authtok
password sufficient     /lib/security/pam_ldap.so
session  required       /lib/security/pam_unix.so       none # trace or debug
session  required       /lib/security/pam_limits.so

The access control part in my ldap server config file looks like this:

defaultaccess none
access to attr=userPassword
        by dn="cn=Admin,o=ScaleOn GmbH, c=D" write
        by self write
        by anonymous auth
access to *
        by dn="cn=Admin,o=ScaleOn GmbH, c=D" write
        by self write
        by * read

With this configuration the access restriction to hosts listed via a "host"
attribute in the ldap entry of the user works fine.
But, now it is not possible for a "normal" passwd-user to log into the machine.
If I change the "auth required" for pam_ldap.so
into an "auth sufficient", then both types of users can log in, but the "host"
attribute is ignored, probably due to the "anonymous auth"
access directive in the ldap config. If I change this to "users auth", then
nobody can login, probably because the user name is somehow not
passed from sshd/pam to the ldap checking mechanism...

Any help would be greatly appreciated.

mit freundlichen Grüßen/with best regards
Thomas Emde
________________________
ScaleOn GmbH & Co. KG
Systems Engineering 1
Geb. B151, Raum 117
D-51368 Leverkusen
Telefon     +49 214/30-67603
Telefax     +49 214/30-24887
E-Mail      thomas.emde@scaleon.de
Internet    http://www.scaleon.de