Authenticating against LDAP

Cannot find group info

[root@cube etc]# ssh -l andrew 127.0.0.1
andrew@127.0.0.1's password:
Last login: Mon Dec  3 01:01:27 2012
id: cannot find name for group ID 1001
[andrew@cube ~]$

[andrew@cube ~]$ getent group andrew
[andrew@cube ~]$ getent passwd andrew
andrew:*:1001:1001:Andrew:/home/andrew:/bin/bash
[andrew@cube ~]$

In /etc/ldap.conf, set:-

nss_base_group          ou=group,dc=mydomain,dc=pri?one

Controlling logins with group access

So far, you can log in to the server solely based on being able to authenticate against LDAP. If you need to allow some LDAP users but not others to access your server, you can use LDAP groups and specify groups allowed to login in /etc/security/access.conf (on RedHat/Centos etc, maybe others too). You can test the existence of the appropirate groups with getent group as above.

[root@myserver]# cat /etc/security/access.conf                                                                                                 
# Login access control table.
# Format of the login access control table is three fields separated by a
# ":" character:
#       permission : users : origins
#
# The first field should be a "+" (access granted) or "-" (access denied)
# character.
# The second field should be a list of one or more login names, group
# names, or ALL (always matches). 
# The third field should be a list of one or more tty names , host names, 
# domain names (begin with "."), host addresses, internet network numbers or ALL

#Always allow root from console
+ : root : LOCAL

# LDAP groups to allow from local subnet
+ : LDAPallowedUsersGroup : 192.168.0.

#LDAP groups to forbid from everywhere
- : LDAPforbiddenUsersGroup : ALL

ACL on LDAP server

Allow only auth users to see the encrypted password.

In slapd.conf:-

access to attrs=userpassword
	by dn="cn=admin,o=company,c=GB" write
	by anonymous auth
	by self write
	by * none

Storing ssh keys in LDAP

 
linux/authagainstldap.txt · Last modified: 14/03/2022 11:31 by andrew