Allow particular LDAP group users login

[Frank Yu <flyxiaoyu@gmail.com>]

Hi,

I have a case, allow particular LDAP group user can login host.

I get a method from google, which use pam_listfile.so , I tried as description(https://www.cyberciti.biz/tips/howto-deny-allow-linux-user-group-login.html), but it failed to restrict particular group.

Below is what I did:

1. add pam_listfile.so to system-auth

# grep pam_listfile.so system-auth -A2

auth        required      pam_listfile.so \

            _onerr_=fail item=group sense=allow file=/etc/login.group.allowed

2. create file login.group.allowed, and add group name in this file 

# ll /etc/login.group.allowed

-rwxr-xr-x. 1 root root 12 Jan  7 19:28 /etc/login.group.allowed

# cat /etc/login.group.allowed

hogpu-users

3. try to login a user, which is not in group hogpu-users.

$ ssh test.lu@10.10.10.37

luo.lu@101.100.10.37's password:

Last login: Sat Jan  7 19:30:04 2017 from 10.31.32.72

id: cannot find name for group ID 501

[luo.lu@xyz-gpu100 ~]$ id test.lu

uid=10138(test.lu) gid=501 groups=501,503(hogpu-algorithm-intern)

​so user test.lu is not in group ​hogpu-users, but I still can login the host.

What I missed? any suggestion about this?

Thanks 

--

Regards
Frank Yu