- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Restricting Access to Linux Servers after connecti...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2012 07:38 AM
05-11-2012 07:38 AM
Greetings,
I have successfully connected my RH 5.8 servers to AD using Winbind. The problem is now anyone in AD can connect to the RH server. I need to allow only web developers to connect from different offices around the world. An AD solution is unlikely.
Fred
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-14-2012 12:52 AM
05-14-2012 12:52 AM
SolutionIn AD, your web developers are probably distinguishable by being members of a particular group. Or you could request the AD admins to create a group for the purpose. Having a separate group might be useful if you someday need to allow someone who is not a web developer to access the Linux servers, or you'll have a web developer which must not be allowed to access the Linux servers for some reason.
That group should be automatically mapped to a Linux group by winbind: use that group in your access control configuration for all relevant services, so that the login attempt will be rejected if the user does not belong to that particular group.
You could apply this either at the server level (for example, SSH has DenyGroups/AllowGroups directives available in /etc/ssh/sshd_config file), or at the PAM level using the pam_succeed_if module (see "man pam_succeed_if").
Something like this at the appropriate location in /etc/pam.d/system-auth might be what you're looking for:
auth required pam_succeed_if.so user ingroup <web_developers_group>
Remember that the order of lines in PAM configuration files is meaningful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-14-2012 08:39 AM
05-14-2012 08:39 AM
Re: Restricting Access to Linux Servers after connecting to Active Directory
MK,
Thank you for responding. Unfortunately, there is no particular AD group to use. Users are scattered all over the world and isolating them via AD is impossible.
Fred
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-14-2012 03:24 PM
05-14-2012 03:24 PM
Re: Restricting Access to Linux Servers after connecting to Active Directory
Having discussed this further, I think the AD way is the only way to restrict access.