Re: Login Authenication

 
SOLVED
Go to solution
hangyu
Regular Advisor

Login Authenication

I have three server which are 192.168.0.1 , 192.168.0.2 , 192.168.0.3 ,
and have already setup the openldap authentication while 192.168.0.1 is
the master ldap server , now the user can authenticate via the ldap
then access the servers, however , some users should not be allowed to
login 192.168.0.2 , but now they can login this server via the ldap as
the ldap server accept the authentication , for example , the user run
'ssh 192.168.0.2' , the ldap accept the authentication then allow the
user to login this server , can advise how to forbid the unauthorized
user can access 192.168.0.2' ? thx
4 REPLIES 4
Alexander Samad
Frequent Advisor

Re: Login Authenication

If you are using pamldap and libnss-ldap you can setup it up on each box to filter out which userid are available on each box.

For eg on 192.168.0.2

change the ldap search filters to only allow certain userids, based on some attribute.
hangyu
Regular Advisor

Re: Login Authenication

thx Alexander Samad ,

If so , I need to set the deny / accept list in all servers once I have created a user ? and could you point me to the doc for the setting ? thx
Ivan Ferreira
Honored Contributor
Solution

Re: Login Authenication

This is a good document.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
hangyu
Regular Advisor

Re: Login Authenication

thx reply ,

I have already follow the admin guide to setup it , add the below to the config file , but it is strange that when I use telnet to access the system , it pop "Access denied for this host" , but to still accept me to access the system , can advise why the system not deny me to access ? thx


#vi /etc/ldap.conf
pam_check_host_attr yes

#vi /etc/pam.d/system-auth
auth required /lib/security/pam_nologin.so
auth required pam_env.so
auth required /lib/security/pam_unix.so nullok shadow use_first_pass
auth sufficient /lib/security/pam_ldap.so
auth required pam_deny.so

account required /lib/security/pam_unix.so
account sufficient pam_localuser.so
account sufficient /lib/security/pam_ldap.so
#account sufficient [default=bad success=ok user_unknown=ignore service_err=igno
re system_err=ignore] /lib/security/$ISA/pam_ldap.so

#account [success=done new_authtok_reqd=done perm_denied=bad default=ignore] pam
_ldap.so

password required /lib/security/pam_cracklib.so retry=3
password required /lib/security/pam_unix.so nullok use_authtok shadow md5
password sufficient pam_ldap.so use_authtok use_first_pass
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0066