This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
PAM LDAP - Host Based Authorization
PAM LDAP - Host Based Authorization

Version management

Difference between version and

At line 1 added 39 lines
Host-based Authorization
Host based Authorization allows you to restrict who can log into a specific machine that uses LDAP for authentication.
There are a couple of methods we have seen utilized, unfortunately, we can not be assured upon which Linux-Unix Distributions they will work.
There are two methods to enforce host-based authentication, the first is to use Host Attribute, the second method is to use an LDAP pam_filter
! Host Attribute
Basically you add an attribute to each LDAP user's record that includes hostnames that they are allowed to log in to. Each client system then checks this field against its own hostname and either allows or denies login based upon the attribute field. .
Using the pam_check_host_attr directive to enforce host authentication has the effect that users are explicitly informed they are not permitted to access the host with an error message: Access denied for this host.
Libpam-ldap requires that you use the host attribute. The attribute value(s) are added to each user that should be able to access the host:
{{{
dn: uid=user_to_change,ou=Users,dc=example,dc=com
changetype: modify
add: host
host: thehostname
}}}
The [PAM_CONF] file would require the directive:
{{{
pam_check_host_attr yes
}}}
Warning: /etc/nsswitch.conf should *not* contain "ldap" in the "shadow" entry, or host-based authentication will always succeed. See your documentation for additional information.
! pam_filter authentication
Using the pam_filter directive in [PAM_CONF] it is possible to enforce PAM to only access accounts with attributes of our choosing. Users who are not permitted access to the host will receive no error, instead PAM responds as if they have entered an incorrect password.
An example using the libpam-ldap host attribute, we can create a filter which matches thehostname or * in /etc/ldap.conf:
{{{
pam_filter |(host=thehostname)(host=\*)
}}}
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop