On RedHat Linux I did this by adding an entry to /etc/security/access.conf to allow certain groups to login.

 

Here’s what mine looks like:

 

# grep -v ^# /etc/security/access.conf

 

+ : safull sagroup2 : ALL

- : saldap : ALL

 

Safull is the group that is allowed access to that server, I also put every LDAP users into saldap so by default no ldap account has access to this server (unless in safull or sagroup2).

 

You’ll need to add a line something like this to system-auth (or module specific file if you’re using it):

 

account     required      pam_access.so

 

From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Gilbert Martin
Sent: Wednesday, February 15, 2012 5:31 PM
To: 389-users@lists.fedoraproject.org
Subject: [389-users] help - Host Access Based on Group Membership

 

Hi,

 

I would like to control host access via groups/role? Has anyone done this? If so, can you give me some pointers in the correct direction? 

 

I've done my own research, but found that I need to allow more than one group to log into a system. So, pam_groupdn is out of the question. The other way of doing it would be to use SSH, but this involves a lot of client configuration. The 3rd option would be to use a netgroup style in 389. 

 

Please advice???

 

Thanks! 


This communication, including any attached documentation, is intended only for the person or entity to which it is addressed, and may contain confidential, personal and/or privileged information. Any unauthorized disclosure, copying, or taking action on the contents is strictly prohibited. If you have received this message in error, please contact us immediately so we may correct our records. Please then delete or destroy the original transmission and any subsequent reply.