Control user access to servers using LDAP

Joel Shank — Wed, 16 Dec 2009 15:08:39 GMT

We have a hundred servers which are grouped by some kind of function. Some users are allowed to log onto servers in group A but not group B while other users are allowed to log onto servers in group B but not group A. (This is a simplified scenario for discussion. In reality, we have many such groups).

Currently we are using DCE for authentication and want to move to LDAP, but I can not find any documentation that explains how to set up LDAP to allow this functionality. How do other companies do this?

We are running a mix of HP-UX v1, v2 and v3 servers in our environment.

Thanks in advance,
jls

Re: Control user access to servers using LDAP

mvpel — Thu, 17 Dec 2009 13:43:26 GMT

The "compat" mode can do what you're looking for, in conjunction with netgroups.

/etc/nsswitch.conf
---
passwd: compat
passwd_compat: ldap
---

This means that any "+" entries in the local passwd file will be referenced out to LDAP.

So here's what you do:

First, set the users who are to be restricted to have a default shell of /dev/null.

This means that they will not be able to log in to any machine in the LDAP domain, by default.

Then, set up netgroups in LDAP:

netgroups:
----
groupA (,u1,) (,u2,) (server1A,,) (server2A,,)

groupB (,u3,) (,u4,) (server1B,,) (server2B,,)
----

passwd on groupA hosts:
----
+@groupA::::::/bin/csh
---

passwd on groupB hosts:
----
+@groupB::::::/bin/csh
---

These +@ entries, coupled with the "compat" mode in nsswitch.conf, will override the default /dev/null shell for the users in the specified groups, allowing them to log into the machine in question.

If you name your netgroups so that they can be recognized by a regular expression, you can use a cron job to maintain these +@ entries in the local passwd file.

The script would compare the access-restriction netgroups with the list of +@ entries in the passwd. That is, if the host sees its own hostname as a member of an access-restriction netgroup, it would add the +@ entry if it's not already there. If it sees a +@ netgroup entry for which its hostname is not a member, it would remove it from the passwd file.

If you don't want to block access to ALL machines for the users in question, you'd need to add a shell override line for everyone except authorized users and netgroups:

/etc/passwd
---
+@groupA::::::
+@sysadmins::::::
+::::::/dev/null
---

This would mean that only members of groupA and the sysadmins netgroups would be allowed to log in to this particular machine, and everyone else would be blocked, while any machine configured normally would also be accessible to the groupA users.

I developed this technique while my prior employer was selling off business lines ahead of its impending bankruptcy (little did we know), to allow users attached to the purchaser to access only the machines they'd purchased until we could peel them off the network and hand them off to the purchaser's sysadmins.

Re: Control user access to servers using LDAP

Joel Shank — Fri, 18 Dec 2009 14:44:42 GMT

Thank you mvpel. This looks like a way of doing what I need.

topic Control user access to servers using LDAP in Operating System - HP-UX

Control user access to servers using LDAP

Re: Control user access to servers using LDAP

Re: Control user access to servers using LDAP