Table of Contents
Authenticating against LDAP
Cannot find group info
[root@cube etc]# ssh -l andrew 127.0.0.1 andrew@127.0.0.1's password: Last login: Mon Dec 3 01:01:27 2012 id: cannot find name for group ID 1001 [andrew@cube ~]$ [andrew@cube ~]$ getent group andrew [andrew@cube ~]$ getent passwd andrew andrew:*:1001:1001:Andrew:/home/andrew:/bin/bash [andrew@cube ~]$
In /etc/ldap.conf, set:-
nss_base_group ou=group,dc=mydomain,dc=pri?one
Controlling logins with group access
So far, you can log in to the server solely based on being able to authenticate against LDAP. If you need to allow some LDAP users but not others to access your server, you can use LDAP groups and specify groups allowed to login in /etc/security/access.conf
(on RedHat/Centos etc, maybe others too). You can test the existence of the appropirate groups with getent group
as above.
[root@myserver]# cat /etc/security/access.conf # Login access control table. # Format of the login access control table is three fields separated by a # ":" character: # permission : users : origins # # The first field should be a "+" (access granted) or "-" (access denied) # character. # The second field should be a list of one or more login names, group # names, or ALL (always matches). # The third field should be a list of one or more tty names , host names, # domain names (begin with "."), host addresses, internet network numbers or ALL #Always allow root from console + : root : LOCAL # LDAP groups to allow from local subnet + : LDAPallowedUsersGroup : 192.168.0. #LDAP groups to forbid from everywhere - : LDAPforbiddenUsersGroup : ALL
ACL on LDAP server
Allow only auth users to see the encrypted password.
In slapd.conf:-
access to attrs=userpassword by dn="cn=admin,o=company,c=GB" write by anonymous auth by self write by * none