On RedHat Linux I did this by adding an entry to /etc/security/access.conf to allow certain groups to login.
Here’s what mine looks like:
# grep -v ^# /etc/security/access.conf
+ : safull sagroup2 : ALL
- : saldap : ALL
Safull is the group that is allowed access to that server, I also put every LDAP users into saldap so by default no ldap account has access to this server (unless
in safull or sagroup2).
You’ll need to add a line something like this to system-auth (or module specific file if you’re using it):
account required pam_access.so
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org]
On Behalf Of Gilbert Martin
Sent: Wednesday, February 15, 2012 5:31 PM
To: 389-users@lists.fedoraproject.org
Subject: [389-users] help - Host Access Based on Group Membership
Hi,
I would like to control host access via groups/role? Has anyone done this? If so, can you give me some pointers in the correct direction?
I've done my own research, but found that I need to allow more than one group to log into a system. So, pam_groupdn is out of the question. The other way of doing it would be to use SSH, but this involves a lot of client configuration.
The 3rd option would be to use a netgroup style in 389.
Please advice???
Thanks!