PAM LDAP - Host Based Authorization

Host-based Authorization Host based Authorization allows you to restrict who can log into a specific machine that uses LDAP for authentication.

There are a couple of methods we have seen utilized, unfortunately, we can not be assured upon which Linux-Unix Distributions they will work.

There are two methods to enforce host-based authentication, the first is to use Host Attribute, the second method is to use an LDAP pam_filter

Host Attribute#

Basically you add an attribute to each LDAP user's record that includes hostnames that they are allowed to log in to. Each client system then checks this field against its own hostname and either allows or denies login based upon the attribute field. .

Using the pam_check_host_attr directive to enforce host authentication has the effect that users are explicitly informed they are not permitted to access the host with an error message: Access denied for this host.

Libpam-ldap requires that you use the host attribute. The attribute value(s) are added to each user that should be able to access the host:

dn: uid=user_to_change,ou=Users,dc=example,dc=com
changetype: modify
add: host
host: thehostname

The PAM_CONF file would require the directive:

pam_check_host_attr yes

Warning: /etc/nsswitch.conf should *not* contain "ldap" in the "shadow" entry, or host-based authentication will always succeed. See your documentation for additional information.

pam_filter authentication#

Using the pam_filter directive in PAM_CONF it is possible to enforce PAM to only access accounts with attributes of our choosing. Users who are not permitted access to the host will receive no error, instead PAM responds as if they have entered an incorrect password.

An example using the libpam-ldap host attribute, we can create a filter which matches thehostname or * in /etc/ldap.conf:

pam_filter |(host=thehostname)(host=\*)

More Information#

There might be more information for this subject on one of the following: