Re: Login Authenication

Go to solution
Regular Advisor

Login Authenication

I have three server which are , , ,
and have already setup the openldap authentication while is
the master ldap server , now the user can authenticate via the ldap
then access the servers, however , some users should not be allowed to
login , but now they can login this server via the ldap as
the ldap server accept the authentication , for example , the user run
'ssh' , the ldap accept the authentication then allow the
user to login this server , can advise how to forbid the unauthorized
user can access' ? thx
Alexander Samad
Frequent Advisor

Re: Login Authenication

If you are using pamldap and libnss-ldap you can setup it up on each box to filter out which userid are available on each box.

For eg on

change the ldap search filters to only allow certain userids, based on some attribute.
Regular Advisor

Re: Login Authenication

thx Alexander Samad ,

If so , I need to set the deny / accept list in all servers once I have created a user ? and could you point me to the doc for the setting ? thx
Ivan Ferreira
Honored Contributor

Re: Login Authenication

This is a good document.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Regular Advisor

Re: Login Authenication

thx reply ,

I have already follow the admin guide to setup it , add the below to the config file , but it is strange that when I use telnet to access the system , it pop "Access denied for this host" , but to still accept me to access the system , can advise why the system not deny me to access ? thx

#vi /etc/ldap.conf
pam_check_host_attr yes

#vi /etc/pam.d/system-auth
auth required /lib/security/
auth required
auth required /lib/security/ nullok shadow use_first_pass
auth sufficient /lib/security/
auth required

account required /lib/security/
account sufficient
account sufficient /lib/security/
#account sufficient [default=bad success=ok user_unknown=ignore service_err=igno
re system_err=ignore] /lib/security/$ISA/

#account [success=done new_authtok_reqd=done perm_denied=bad default=ignore] pam

password required /lib/security/ retry=3
password required /lib/security/ nullok use_authtok shadow md5
password sufficient use_authtok use_first_pass
password required

session required
session required
session required skel=/etc/skel/ umask=0066