Table of Contents
Authenticating against LDAP
ldapsearch is a command used to gather information from LDAP, but it can be used to test login auth too, if a user can bind successfully, they can be considered to authenticated, depending on what groups a user is a member of can be used to determine if they are authorized to access a specific resource.
ldapsearch -h <LDAPserverHostname> -D “bind DN” -W -b “searchbase DN”
-h LDAP server hostname
-D bind DN
-W prompt for password on screen
Cannot find group info
[root@cube etc]# ssh -l andrew 127.0.0.1 firstname.lastname@example.org's password: Last login: Mon Dec 3 01:01:27 2012 id: cannot find name for group ID 1001 [andrew@cube ~]$ [andrew@cube ~]$ getent group andrew [andrew@cube ~]$ getent passwd andrew andrew:*:1001:1001:Andrew:/home/andrew:/bin/bash [andrew@cube ~]$
In /etc/ldap.conf, set:-
Controlling logins with group access
So far, you can log in to the server solely based on being able to authenticate against LDAP. If you need to allow some LDAP users but not others to access your server, you can use LDAP groups and specify groups allowed to login in
/etc/security/access.conf (on RedHat/Centos etc, maybe others too). You can test the existence of the appropirate groups with
getent group as above.
[root@myserver]# cat /etc/security/access.conf # Login access control table. # Format of the login access control table is three fields separated by a # ":" character: # permission : users : origins # # The first field should be a "+" (access granted) or "-" (access denied) # character. # The second field should be a list of one or more login names, group # names, or ALL (always matches). # The third field should be a list of one or more tty names , host names, # domain names (begin with "."), host addresses, internet network numbers or ALL #Always allow root from console + : root : LOCAL # LDAP groups to allow from local subnet + : LDAPallowedUsersGroup : 192.168.0. #LDAP groups to forbid from everywhere - : LDAPforbiddenUsersGroup : ALL
ACL on LDAP server
Allow only auth users to see the encrypted password.
access to attrs=userpassword by dn="cn=admin,o=company,c=GB" write by anonymous auth by self write by * none