[Fedora-directory-users] Restricting Users Login Question

Timothy Hunt timothy.hunt at intraisp.com
Tue Nov 13 02:42:28 UTC 2007 

On Redhat 4.1, using PAM, we use /etc/security/access.conf

the relevant line is
-:ALL EXCEPT wheel permitted-ldap-group-for-this-box  permitted-ldap- 
group-for-this-box-root:ALL

so that's deny everyone from everywhere, except people in these three  
groups.

So, any local accounts (if your connection to your LDAP box fails,  
you need a backup account) that can log in are in the wheel group.

Then, normal users are in the "permitted-ldap-group-for-this-box"  
group are also allowed on

Further, those in "permitted-ldap-group-for-this-box-root" are also  
allowed on, and that group also appears in /etc/sudoers to control  
which users can also use sudo.

you just define groups of boxes that should have similar access  
authorization, make a group for that set of boxes, add that group to  
the access.conf, and then add the users you want to allow to those  
boxes to that group.

Rinse and repeat for the other classes of boxes.

Timothy

On Nov 12, 2007, at 8:11 PM, Jared B. Griffith wrote:

> I am setting up a Fedora Directory Server for use in our company.   
> Our problem now is that any user that has a posix account (which it  
> is necessary for every user to have a posix account due web  
> applications and our heavy use of Linux machines) can log into  
> machines we do not want them having access to (ie production web  
> servers, gateways, firewalls, etc etc etc).
> Yes, we could lock it down via sshd_config on the servers with the  
> AllowUsers statement, but that would not prevent them from being  
> able to log in on the local machine.
> I have changed my ldap.conf on my linux / bsd machines to allow  
> only the following:
>
> pam_groupdn cn=syadmins,ou=IT,ou=Groups,dc=company,dc=tld
> # Group member attribute
> pam_member_attribute uniqueMember
>
> This does and does not work.  When logging into the server with a  
> user that is not a member of that group, I get the following warning:
> You must be a uniqueMember of  
> cn=syadmins,ou=IT,ou=Groups,dc=company,dc=tld to login
> But it logs me right in.
> I have posted the full ldap.conf here:
> http://pastebin.com/m11b0b227
> Here is the shorter version (minus all commented out stuff)
> http://pastebin.com/m26f9048d
>
> Any help or pointers would be appreciated.
>
>
>
> -- 
> - Thank you,
> - Jared B. Griffith
> - Farheap Solutions, Inc.
> - Lead Systems Administrator
> - California IT Department
> - Email - jared.griffith at farheap.com
> - Phone - 949.417.1500 ext. 266
> - Cell Phone - 949.910.6542
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

More information about the 389-users mailing list