System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Control user access to servers using LDAP

SOLVED
Go to solution
Joel Shank
Valued Contributor

Control user access to servers using LDAP

We have a hundred servers which are grouped by some kind of function. Some users are allowed to log onto servers in group A but not group B while other users are allowed to log onto servers in group B but not group A. (This is a simplified scenario for discussion. In reality, we have many such groups).

Currently we are using DCE for authentication and want to move to LDAP, but I can not find any documentation that explains how to set up LDAP to allow this functionality. How do other companies do this?

We are running a mix of HP-UX v1, v2 and v3 servers in our environment.

Thanks in advance,
jls
2 REPLIES
mvpel
Trusted Contributor
Solution

Re: Control user access to servers using LDAP

The "compat" mode can do what you're looking for, in conjunction with netgroups.

/etc/nsswitch.conf
---
passwd: compat
passwd_compat: ldap
---

This means that any "+" entries in the local passwd file will be referenced out to LDAP.

So here's what you do:

First, set the users who are to be restricted to have a default shell of /dev/null.

This means that they will not be able to log in to any machine in the LDAP domain, by default.

Then, set up netgroups in LDAP:

netgroups:
----
groupA (,u1,) (,u2,) (server1A,,) (server2A,,)

groupB (,u3,) (,u4,) (server1B,,) (server2B,,)
----

passwd on groupA hosts:
----
+@groupA::::::/bin/csh
---

passwd on groupB hosts:
----
+@groupB::::::/bin/csh
---

These +@ entries, coupled with the "compat" mode in nsswitch.conf, will override the default /dev/null shell for the users in the specified groups, allowing them to log into the machine in question.

If you name your netgroups so that they can be recognized by a regular expression, you can use a cron job to maintain these +@ entries in the local passwd file.

The script would compare the access-restriction netgroups with the list of +@ entries in the passwd. That is, if the host sees its own hostname as a member of an access-restriction netgroup, it would add the +@ entry if it's not already there. If it sees a +@ netgroup entry for which its hostname is not a member, it would remove it from the passwd file.

If you don't want to block access to ALL machines for the users in question, you'd need to add a shell override line for everyone except authorized users and netgroups:

/etc/passwd
---
+@groupA::::::
+@sysadmins::::::
+::::::/dev/null
---

This would mean that only members of groupA and the sysadmins netgroups would be allowed to log in to this particular machine, and everyone else would be blocked, while any machine configured normally would also be accessible to the groupA users.

I developed this technique while my prior employer was selling off business lines ahead of its impending bankruptcy (little did we know), to allow users attached to the purchaser to access only the machines they'd purchased until we could peel them off the network and hand them off to the purchaser's sysadmins.
Joel Shank
Valued Contributor

Re: Control user access to servers using LDAP

Thank you mvpel. This looks like a way of doing what I need.