How to limit logon time access for groups

linux access-control-list openldap pam

I have to limit logon time access for some users. I have googled and found it is possible with pam modules and time.conf.

My question is: is it possible to do the same but with groups so, instead of dealing with users, just gather these users and set limited logon time to this group?

I am using an ldap server with centos7.


Solution 1:

Yes this can be accomplished with some work with a combination of pam_listfile and pam_time. You will have to fill in the details but here is the skeleton in your pam.conf

auth [success=1 default=ok] pam_listfile.so item=group sense=deny file=/path/to/restricted/groups onerr=fail
account required pam_time.so ...

The success=1 means, if this module returns success, then skip the next 1 module. I.e. if the user is not in any of the denied groups, don't run pam_time.so, otherwise do run it.

Related

How to set shared files permission across a network?
How to completely disable IPv6 for loopback interface on RHEL 5.6
Assign each NIC an ip range or subnet
Is it possible to deploy front end and back end on two different servers with same domain?
Why does ProFTPd stop at Entering Passive Mode on Debian on a Windows Virtualbox? [closed]
List existing file server permission groups/users
Remove local area code on outbound calls, and remove "dial 1" for long distance in Trixbox/Asterisk
Can APC recognise duplicate source files?
Virtual host for subdomain overriding default virtual host
Routing Strategy for Multiple VPCs on AWS
how to move/configure Mysql Database to another partition?
How to block users from seeing others processes?