====== LDAP access groups ======

===== Objective =====


How to restrict login access on a per-user or per-group basis.


===== Overview =====

LDAP groups are used but the restriction method itself (which uses PAM) can use local accounts and groups as well as LDAP accounts and groups (or any other supported PAM authentication method).

All configuration below relates to ops01. This will need to be modified for other servers (to be documented). Note there is a slight difference under /etc/pam.d/* configuration files depending on the release version of Red Hat.

Each line follows the format: 
  PERMISSION (+/-) :  USER/GROUP  :  ORIGIN

For example:

^ /etc/security/access.conf ^^
^ Config ^ Description ^
| + : root : LOCAL | Allow root to login via the console only |
| - : user1 : ALL EXCEPT LOCAL | Only allow user1 to login via the console |


===== Full Instructions =====

1. Add the following line into the applicable file as per Red Hat version. This will enable **pam_access** and the use of access.conf in step 2.
  account     required      pam_access.so

**RHEL5:**
  /etc/pam.d/system-auth

**RHEL4:**
  /etc/pam.d/sshd
  /etc/pam.d/login
  [/etc/pam.d/gdm]

\\

2. The config below is given as an example.
Add the following lines into **/etc/security/access.conf**: \\

  # root access via console only
  + : root : LOCAL
  
  # local user accounts access via console only
  + : user1 user2 user3 : LOCAL
  
  # LDAP Groups - FULL access to this server
  + : TechnicalOpsGIB TechnicalOpsUK : ALL
  
  # LDAP Groups - SSH access only, no console access
  + : ReleaseTeam TechnicalOpsSF TechnicalOpsLV : ALL EXCEPT LOCAL
  
  # works from Gib APP and WEB servers
  + : works : 192.168.166.210 192.168.166.220 192.168.166.230 192.168.167.210 192.168.167.220 192.168.168.230 192.168.168.240 
  
  # works from ops01 (deployments/control), nocdev01 (wiki duplication) and crond
  + : works : 192.168.123.140 10.28.60.150 crond
  
  # Redmine cronjobs, Nagios and HP SIM Monitoring
  + : redmine : crond
  + : ghpsim : 192.168.10.25
  + : nagios : 192.168.19.15
  
  # Deny everything else
  - : ALL : ALL

\\
Line by line, this has the following effect:
^Permission^  User/Group  ^Origin^
| Permit | root | Console access (note that PermitRootLogin is set to NO in sshd_config) |
| Permit | Gib local users* | Console access only | 
| Permit | LDAP Groups allowed FULL access | All |
| Permit | LDAP Groups allowed with restricted access | All except console access |
| Permit | works | Gib APP and WEB servers |
| Permit | works | ops01, nocdev01 crond |
| Permit | redmine | crond |
| Permit | hpsim | sma01 (HP SIM monitoring) |
| Permit | nagios | mon01 |
| Deny | Everyone else | All |
* To be removed at a later date.

  
===== Configuration Files =====

The following section documents the configuration required in **/etc/security/access.conf** for different servers.

==== Example Servers ====

  # root - console access only
  + : root : LOCAL
  
  # Local user accounts - console access only
  + : user1 user2 user3 : LOCAL
  
  # FULL access to this server
  + : TechnicalOpsGIB TechnicalOpsUK : ALL
  
  # RESTRICTED access to this server
  + : DataAnalysts : ALL EXCEPT LOCAL
  
  # works from other Gib servers
  + : works : 192.168.18. 192.168.18. 192.168.19. cron 
  
  # Nagios and HP SIM Monitoring
  + : gi-hpsim : 192.168.10.25
  + : nagios : 192.168.19.15
  
  # Deny everything/everyone else
  - : ALL : ALL