[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Restrict Access to Hosts
Hello,
I manage linux users in an LDAP directory and want to restrict the access of
certain users to certain hosts.
I have setup /etc/pam.d/sshd on the host to which the user accesses as follows:
#%PAM-1.0
auth required /lib/security/pam_ldap.so
auth required /lib/security/pam_unix.so # set_secrpc
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_env.so
auth required /lib/security/pam_mail.so
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_pwcheck.so
password required /lib/security/pam_unix.so use_first_pass
use_authtok
password sufficient /lib/security/pam_ldap.so
session required /lib/security/pam_unix.so none # trace or debug
session required /lib/security/pam_limits.so
The access control part in my ldap server config file looks like this:
defaultaccess none
access to attr=userPassword
by dn="cn=Admin,o=ScaleOn GmbH, c=D" write
by self write
by anonymous auth
access to *
by dn="cn=Admin,o=ScaleOn GmbH, c=D" write
by self write
by * read
With this configuration the access restriction to hosts listed via a "host"
attribute in the ldap entry of the user works fine.
But, now it is not possible for a "normal" passwd-user to log into the machine.
If I change the "auth required" for pam_ldap.so
into an "auth sufficient", then both types of users can log in, but the "host"
attribute is ignored, probably due to the "anonymous auth"
access directive in the ldap config. If I change this to "users auth", then
nobody can login, probably because the user name is somehow not
passed from sshd/pam to the ldap checking mechanism...
Any help would be greatly appreciated.
mit freundlichen Grüßen/with best regards
Thomas Emde
________________________
ScaleOn GmbH & Co. KG
Systems Engineering 1
Geb. B151, Raum 117
D-51368 Leverkusen
Telefon +49 214/30-67603
Telefax +49 214/30-24887
E-Mail thomas.emde@scaleon.de
Internet http://www.scaleon.de