LDAP access groups

Objective

How to restrict login access on a per-user or per-group basis.

Overview

LDAP groups are used but the restriction method itself (which uses PAM) can use local accounts and groups as well as LDAP accounts and groups (or any other supported PAM authentication method).

All configuration below relates to ops01. This will need to be modified for other servers (to be documented). Note there is a slight difference under /etc/pam.d/* configuration files depending on the release version of Red Hat.

Each line follows the format:

PERMISSION (+/-) :  USER/GROUP  :  ORIGIN

For example:

/etc/security/access.conf
Config Description
+ : root : LOCAL Allow root to login via the console only
- : user1 : ALL EXCEPT LOCAL Only allow user1 to login via the console

Full Instructions

1. Add the following line into the applicable file as per Red Hat version. This will enable pam_access and the use of access.conf in step 2.

account     required      pam_access.so

RHEL5:

/etc/pam.d/system-auth

RHEL4:

/etc/pam.d/sshd
/etc/pam.d/login
[/etc/pam.d/gdm]


2. The config below is given as an example. Add the following lines into /etc/security/access.conf:

# root access via console only
+ : root : LOCAL

# local user accounts access via console only
+ : user1 user2 user3 : LOCAL

# LDAP Groups - FULL access to this server
+ : TechnicalOpsGIB TechnicalOpsUK : ALL

# LDAP Groups - SSH access only, no console access
+ : ReleaseTeam TechnicalOpsSF TechnicalOpsLV : ALL EXCEPT LOCAL

# works from Gib APP and WEB servers
+ : works : 192.168.166.210 192.168.166.220 192.168.166.230 192.168.167.210 192.168.167.220 192.168.168.230 192.168.168.240 

# works from ops01 (deployments/control), nocdev01 (wiki duplication) and crond
+ : works : 192.168.123.140 10.28.60.150 crond

# Redmine cronjobs, Nagios and HP SIM Monitoring
+ : redmine : crond
+ : ghpsim : 192.168.10.25
+ : nagios : 192.168.19.15

# Deny everything else
- : ALL : ALL


Line by line, this has the following effect:

Permission User/Group Origin
Permit root Console access (note that PermitRootLogin is set to NO in sshd_config)
Permit Gib local users* Console access only
Permit LDAP Groups allowed FULL access All
Permit LDAP Groups allowed with restricted access All except console access
Permit works Gib APP and WEB servers
Permit works ops01, nocdev01 crond
Permit redmine crond
Permit hpsim sma01 (HP SIM monitoring)
Permit nagios mon01
Deny Everyone else All

* To be removed at a later date.

Configuration Files

The following section documents the configuration required in /etc/security/access.conf for different servers.

Example Servers

# root - console access only
+ : root : LOCAL

# Local user accounts - console access only
+ : user1 user2 user3 : LOCAL

# FULL access to this server
+ : TechnicalOpsGIB TechnicalOpsUK : ALL

# RESTRICTED access to this server
+ : DataAnalysts : ALL EXCEPT LOCAL

# works from other Gib servers
+ : works : 192.168.18. 192.168.18. 192.168.19. cron 

# Nagios and HP SIM Monitoring
+ : gi-hpsim : 192.168.10.25
+ : nagios : 192.168.19.15

# Deny everything/everyone else
- : ALL : ALL

rb/ldap-logon-groups.txt · Last modified: 20/08/2019 16:28 by andrew