Re: using pam-ldap to allow ssh logins from only *some* ldap accounts (and not all)
On Fri, Dec 10, 2021 at 11:31:55AM +0000, charlie derr wrote:
> Hi again everyone,
>
> Having gotten an excellent (and quite simple) response to my query about automatic homedir creation upon ssh login, i'm going to push my luck (expecting @ any moment to receive responses with RTFM or somethings close to that sentiment in them).
>
> Our goal is to allow not just *any* LDAP user in our openldap (version 2.4.40) directory, but only those specified as members of a particular group (in our LDAP). We have a custom LDAP attribute (groupSR) that is attached directly to the user's entry (ou=People,uid=<user-login-name>) or we could easily also populate a "more standard" (cn=<groupname>) entry (with memeberUID attributes corresponding to the "allowed SSH users") in the ou=Group branch of our directory.
>
> Pretty sure this was set up quite some time ago here, but the colleagues who I collaborated with to do it are no longer working with me, and I can't for the life of me remember how exactly it was done...
>
I don't use pam-ldap any longer (I switched to sssd a few years ago).
But, looking at my old configurations, I had this in pam_ldap.conf:
pam_filter |(loginGroup=group1)(loginGroup=group2)
The | joins the parenthetical expressions with a logical OR. I think
you could use & instead to achieve an AND joining (never tried that).
As another option, assuming you are using libnss-ldap as well, you can
add to libnss-ldap.conf something like this:
nss_base_passwd ou=Accounts,dc=example,dc=com?one?|(loginGroup=group1)(loginGroup=group2)
That would prevent the user even appearing in the output of getent, for
instance, unless the specified criteria are met.
In the event that you decide to switch to sssd (I recommend it, as it is
more flexible and less buggy than the PAM and NSS solution), then its
configuration provides explicit options for filtering specific users
and/or groups.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: