HPE Community
Operating System - Linux
1752812 Members
5819 Online
108789 Solutions
New Discussion юеВ

Re: Login Authenication

 
SOLVED
Go to solution
hangyu
Regular Advisor

тАО08-23-2006 01:19 PM

тАО08-23-2006 01:19 PM

Login Authenication

I have three server which are 192.168.0.1 , 192.168.0.2 , 192.168.0.3 ,
and have already setup the openldap authentication while 192.168.0.1 is
the master ldap server , now the user can authenticate via the ldap
then access the servers, however , some users should not be allowed to
login 192.168.0.2 , but now they can login this server via the ldap as
the ldap server accept the authentication , for example , the user run
'ssh 192.168.0.2' , the ldap accept the authentication then allow the
user to login this server , can advise how to forbid the unauthorized
user can access 192.168.0.2' ? thx
0 Kudos
Reply
4 REPLIES 4
Alexander Samad
Frequent Advisor

тАО08-23-2006 06:19 PM

тАО08-23-2006 06:19 PM

Re: Login Authenication

If you are using pamldap and libnss-ldap you can setup it up on each box to filter out which userid are available on each box.

For eg on 192.168.0.2

change the ldap search filters to only allow certain userids, based on some attribute.
Reply
hangyu
Regular Advisor

тАО08-23-2006 11:01 PM

тАО08-23-2006 11:01 PM

Re: Login Authenication

thx Alexander Samad ,

If so , I need to set the deny / accept list in all servers once I have created a user ? and could you point me to the doc for the setting ? thx
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО08-24-2006 02:10 AM

тАО08-24-2006 02:10 AM

Solution

Re: Login Authenication

This is a good document.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
hangyu
Regular Advisor

тАО09-03-2006 05:01 AM

тАО09-03-2006 05:01 AM

Re: Login Authenication

thx reply ,

I have already follow the admin guide to setup it , add the below to the config file , but it is strange that when I use telnet to access the system , it pop "Access denied for this host" , but to still accept me to access the system , can advise why the system not deny me to access ? thx


#vi /etc/ldap.conf
pam_check_host_attr yes

#vi /etc/pam.d/system-auth
auth required /lib/security/pam_nologin.so
auth required pam_env.so
auth required /lib/security/pam_unix.so nullok shadow use_first_pass
auth sufficient /lib/security/pam_ldap.so
auth required pam_deny.so

account required /lib/security/pam_unix.so
account sufficient pam_localuser.so
account sufficient /lib/security/pam_ldap.so
#account sufficient [default=bad success=ok user_unknown=ignore service_err=igno
re system_err=ignore] /lib/security/$ISA/pam_ldap.so

#account [success=done new_authtok_reqd=done perm_denied=bad default=ignore] pam
_ldap.so

password required /lib/security/pam_cracklib.so retry=3
password required /lib/security/pam_unix.so nullok use_authtok shadow md5
password sufficient pam_ldap.so use_authtok use_first_pass
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0066
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.