Link to home
Start Free TrialLog in
Avatar of Chireru
Chireru

asked on

Group-Based LDAP Authentication

I'm looking for information on how I can do Group-based authentication using LDAP.

I'm researching the possibility of connecting Linux systems to LDAP (and eventually a single-signon).  However, I need only certain user groups to be able to log into certain servers.

I.E.  Joe from accounting shouldn't be able to SSH into the webserver.  Bob from IT/Databases should only be allowed to log onto servers with databases, etc.

I've done some searching, but I can't find anything that deals with the "Group-Based" portion..  there's lots on "how to configure it for LDAP".   I would need to be able to specify per-server what usergroups can log in.

Thanks
Avatar of lbertacco
lbertacco

I think that you can put users in appropriate groups (e.g. bob will be in group db) when you definethe the users and then require specific groups for specific machines/services through the pam configuration file.
Avatar of Chireru

ASKER

Can you expand on that?  How would I go about requiring specific groups for specific machines or services in the pam configuration file?
ASKER CERTIFIED SOLUTION
Avatar of lbertacco
lbertacco

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
...and I'm not totally sure that pam_access works with groups defined in ldap (it works for sure with /etc/groups and NIS groups)
I only have done it on Solaris and it was not possible directly with LDAP.
I solved this issue through the use of tcpd restriction for SSH FTP and Console. Ldap is not able to allow it on per machine basis
Well I'd not totally sure that pam_access works with ldap defined groups, but it surely works for ldap defined users even on a per machine basis.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Chireru

ASKER

This question is getting a little old.  I was hoping to have a few more opinions.  I have an LDAP server up, but I havn't had time to play with restrictions yet.

Thanks for all the input.