Restricting account logins using LDAP and PAM

ubuntu ldap pam

I was hoping some PAM/LDAP gurus may be able to help me out here. I've recently set up an LDAP directory on Ubuntu Server to hold accounts for both my clients (for use with web-based systems) and staff (who will need to login via SSH.)

The LDAP authentication is working perfectly. However I cannot get the account restrictions working: staff accounts will have IDs between 2001 and 2999 and will be a member of the ssh-users group to allow them to login to servers.

The restrictions in question are in /etc/ldap.conf, and are pam_min_uid, pam_max_uid and pam_groupdn.

pam_groupdn contains the full DN to my ssh-users group. pam_min_uid = 2000 and pam_max_uid = 2999.

Now, I've managed to get them working by adding:

account [success=1 default=ignore] pam_ldap.so

above the pam_unix.so line in /etc/pam.d/common-account. However, the local Unix accounts can then NOT login: the SSH server kills the connection as soon as they try.

I've set the pam_ldap.so module to sufficient in the above file, but then the invalid users get a message saying they cannot login, but it logs them in anyway.

So, how can I set these account restrictions for LDAP users, while still allowing UNIX users to login?

As you can probably guess I'm a newbie to PAM, although I have managed to get the "automatically make home directories" module working :-)

Many thanks, Andy


Solution 1:

PAM has the ability to restrict access based on an access control list (at least on Ubuntu) which, like kubanskamac's answer (+1) regards the groups as posix groups, whether they're stored in LDAP, /etc/group or NIS.

/etc/security/access.conf is the access list file. In my file, I put at the end:

-:ALL EXCEPT root sysadmin (ssh-users):ALL

This denies everyone except root, sysadmin and in the group ssh-users (which is in LDAP) wherever they login from (the second ALL).

Then in my PAM account file (this IS an account module), I add at the very end:

account required pam_access.so

which tells PAM to use this file. It works a treat :-)

Solution 2:

I would simply use

auth required    pam_listfile.so   sense=accept item=group file=/etc/groups.allow onerr=fail

to allow only specific groups (both for local and LDAP groups). This way you don't have to specify anything in ldap.conf.

If you want to keep authorization your way, you shouldn't filter users on "account" pass. I believe you should rather do it on "auth" pass. Secondly, as you can see yourself, pam_unix processes both local and LDAP accounts (at least on the "account" pass), so it seems there is no need for pam_ldap at all.

EDIT: Thirdly, if you insist on having stuff on "account" pass (which I believe could have strange side effects), your sequence should end with: ..., "sufficient pam_ldap", "required pam_localuser", "required pam_unix". I mean, if you have any other modules, move them before pam_ldap - otherwise they would be ignored for LDAP accounts due to "sufficient" clause.

Related

Amazon EC2 spot instances - is there a catch?
How to set up my own full-featured certificate authority?
Mysqld.sock doesn't exist
What causes the MySQL error 1062 - duplicate entry when starting slave?
How to fix postfix: Sender address rejected: need fully-qualified address (in reply to RCPT TO command))?
Postfix - do not list domain example.com in BOTH mydestination and virtual_alias
What time zone is displayed in windows event logs? When viewing saved log from another machine?
How often should I scrub my RAID?
Not able to spoof MAC address in Kali Linux
How to download all files from a site? [duplicate]
How to download images with wget
Is a VPN effective at protecting my privacy while using Chrome?