SSH access to hosts groups based on user groups using LDAP Announcing the arrival of Valued...
Unix AIX passing variable and arguments to expect and spawn
Like totally amazing interchangeable sister outfit accessory swapping or whatever
Kepler's 3rd law: ratios don't fit data
What is the definining line between a helicopter and a drone a person can ride in?
false 'Security alert' from Google - every login generates mails from 'no-reply@accounts.google.com'
What helicopter has the most rotor blades?
Why did Israel vote against lifting the American embargo on Cuba?
Is "ein Herz wie das meine" an antiquated or colloquial use of the possesive pronoun?
2 sample t test for sample sizes - 30,000 and 150,000
Etymology of 見舞い
What could prevent concentrated local exploration?
What is the difference between 准时 and 按时?
Why aren't these two solutions equivalent? Combinatorics problem
Can the van der Waals coefficients be negative in the van der Waals equation for real gases?
Why are two-digit numbers in Jonathan Swift's "Gulliver's Travels" (1726) written in "German style"?
What's the difference between using dependency injection with a container and using a service locator?
Recursive calls to a function - why is the address of the parameter passed to it lowering with each call?
"Destructive force" carried by a B-52?
Why does my GNOME settings mention "Moto C Plus"?
Will I be more secure with my own router behind my ISP's router?
How to get a single big right brace?
How to break 信じようとしていただけかも知れない into separate parts?
What is the ongoing value of the Kanban board to the developers as opposed to management
Is there a way to convert Wolfram Language expression to string?
SSH access to hosts groups based on user groups using LDAP
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)
Come Celebrate our 10 Year Anniversary!LDAP Structure: dc=example,dc=com vs o=Exampledn-based linux groups from ldapLimit VPN login to members of a groupldapquery an Active Directory server for users that belongs to a group named XOpenLDAP tree with groups?LDAP+SAMBA login issuesSSH key authentication using LDAPOpenLDAP Filtering Users that are part of Groups of Groupshow to set permission the manager in openldap?SSH and LDAP auth with groups
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
This is my entire test ldap database for now:
# extended LDIF
#
# LDAPv3
# base <dc=ldap,dc=example,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# ldap.example.com
dn: dc=ldap,dc=example,dc=com
dc: ldap
description: Root for Test LDAP server
objectClass: top
objectClass: dcObject
objectClass: organization
o: Test
# People, ldap.example.com
dn: ou=People,dc=ldap,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
description: All people in Test
# Group, ldap.example.com
dn: ou=Group,dc=ldap,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
description: All groups in Test
# Hosts, ldap.example.com
dn: ou=Hosts,dc=ldap,dc=example,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit
description: All hosts in Test
# HostGroups, ldap.example.com
dn: ou=HostGroups,dc=ldap,dc=example,dc=com
ou: HostGroups
objectClass: top
objectClass: organizationalUnit
description: All host groups in Test
# client1, Hosts, ldap.example.com
dn: cn=client1,ou=Hosts,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: ipHost
objectClass: top
cn: client1
ipHostNumber: 192.168.56.21
# client2, Hosts, ldap.example.com
dn: cn=client2,ou=Hosts,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: ipHost
objectClass: top
cn: client2
ipHostNumber: 192.168.56.22
# client3, Hosts, ldap.example.com
dn: cn=client3,ou=Hosts,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: ipHost
objectClass: top
cn: client3
ipHostNumber: 192.168.56.23
# group1, HostGroups, ldap.example.com
dn: cn=group1,ou=HostGroups,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: authorizedServiceObject
objectClass: top
authorizedService: sshd
hostmemberIP: 192.168.56.21
hostmemberIP: 192.168.56.23
cn: group1
# group2, HostGroups, ldap.example.com
dn: cn=group2,ou=HostGroups,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: authorizedServiceObject
objectClass: top
authorizedService: sshd
hostmemberIP: 192.168.56.22
cn: group2
# users, Group, ldap.example.com
dn: cn=users,ou=Group,dc=ldap,dc=example,dc=com
cn: users
objectClass: posixGroup
objectClass: top
gidNumber: 701
memberUid: abhinav
memberUid: akumar
# admins, Group, ldap.example.com
dn: cn=admins,ou=Group,dc=ldap,dc=example,dc=com
objectClass: posixGroup
objectClass: top
gidNumber: 702
cn: admins
memberUid: abhinavk
# abhinav, People, ldap.example.com
dn: uid=abhinav,ou=People,dc=ldap,dc=example,dc=com
uid: abhinav
cn: abhinav
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 1000
gidNumber: 701
homeDirectory: /home/abhinav
loginShell: /bin/bash
gecos: abhinav
userPassword:: e1NTSEF9NitwODhYZHZnSjliZnJKcElHamdteXhsdUJDSlorNmI=
# akumar, People, ldap.example.com
dn: uid=akumar,ou=People,dc=ldap,dc=example,dc=com
uid: akumar
cn: akumar
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 1001
gidNumber: 701
homeDirectory: /home/akumar
loginShell: /bin/bash
gecos: akumar
userPassword:: e1NTSEF9NVdJdS9yTkIrUlRWelJJMWxHY2UvVzJXNGxmUjYwZ04=
# abhinavk, People, ldap.example.com
dn: uid=abhinavk,ou=People,dc=ldap,dc=example,dc=com
uid: abhinavk
cn: abhinavk
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 1002
gidNumber: 702
homeDirectory: /home/abhinavk
loginShell: /bin/bash
gecos: abhinavk
userPassword:: e1NTSEF9NVdJdS9yTkIrUlRWelJJMWxHY2UvVzJXNGxmUjYwZ04=
# search result
search: 2
result: 0 Success
# numResponses: 16
# numEntries: 15
There can be n number of host groups and m number of user groups.
So is it possible to allow specific user groups to access only specific host groups?**
For example:
the group
cn=admins,ou=Group,dc=ldap,dc=example,dc=comshould be able to access all hosts under hostgroupcn=group1,ou=HostGroups,dc=ldap,dc=example,dc=comand "cn=group2,ou=HostGroups,dc=ldap,dc=example,dc=com"the group
cn=users,ou=Group,dc=ldap,dc=example,dc=comshould only be able to access hosts under hostgroupcn=group1,ou=HostGroups,dc=ldap,dc=example,dc=com.
I tried searching online for help. couldn't find anything helpful.
The above LDAP structure is based on my understanding of this post here.
ldap server and client OS is CentOS 6.x and ldap server version is openldap-servers-2.4.39-8.el6.x86_64
Have been stuck at this since Friday. I am guessing something needs to be done with ACLs in the ldap server and base search url in ldap clients. Really not sure about what exactly needs to be done.
Update to this
Reading this post here, gave me an idea to drop host groups entirely and instead use normal groups for each host types. started from scratch ( but very similar to the structure what's above ) I created a object groupOfMembers ( basically posixGroup with a member field in it ), and started making groups and users part of it.
For example:
# gt1, Group, ldap.example.com
dn: cn=gt1,ou=Group,dc=ldap,dc=example,dc=com
objectClass: posixGroup
objectClass: groupOfMembers
objectClass: top
gidNumber: 703
cn: gt1
member: cn=admins,ou=Group,dc=ldap,dc=example,dc=com
member: cn=user1,ou=People,dc=ldap,dc=example,dc=com
member: cn=users,ou=Group,dc=ldap,dc=example,dc=com
admins and users are another groups with members and user1 is a user account. I also added this to /etc/pam_ldap.conf file on client side:
pam_groupdn cn=gt1,ou=Group,dc=ldap,dc=example,dc=com
pam_member_attribute member
now when i login with user user1, I am able to. but when i try this with other user admin ( part of admins group ) and appuser ( part of users group ), I get this error message:
You must be a member of cn=gt1,ou=Group,dc=ldap,dc=example,dc=com to login.
Is there any way I can use another group's DN in member field of a group and make pam_ldap to work?
ssh openldap
asked Nov 11 '14 at 23:30
AbhinavKAbhinavK
213
bumped to the homepage by Community♦ 5 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
This is my entire test ldap database for now:
# extended LDIF
#
# LDAPv3
# base <dc=ldap,dc=example,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# ldap.example.com
dn: dc=ldap,dc=example,dc=com
dc: ldap
description: Root for Test LDAP server
objectClass: top
objectClass: dcObject
objectClass: organization
o: Test
# People, ldap.example.com
dn: ou=People,dc=ldap,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
description: All people in Test
# Group, ldap.example.com
dn: ou=Group,dc=ldap,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
description: All groups in Test
# Hosts, ldap.example.com
dn: ou=Hosts,dc=ldap,dc=example,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit
description: All hosts in Test
# HostGroups, ldap.example.com
dn: ou=HostGroups,dc=ldap,dc=example,dc=com
ou: HostGroups
objectClass: top
objectClass: organizationalUnit
description: All host groups in Test
# client1, Hosts, ldap.example.com
dn: cn=client1,ou=Hosts,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: ipHost
objectClass: top
cn: client1
ipHostNumber: 192.168.56.21
# client2, Hosts, ldap.example.com
dn: cn=client2,ou=Hosts,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: ipHost
objectClass: top
cn: client2
ipHostNumber: 192.168.56.22
# client3, Hosts, ldap.example.com
dn: cn=client3,ou=Hosts,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: ipHost
objectClass: top
cn: client3
ipHostNumber: 192.168.56.23
# group1, HostGroups, ldap.example.com
dn: cn=group1,ou=HostGroups,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: authorizedServiceObject
objectClass: top
authorizedService: sshd
hostmemberIP: 192.168.56.21
hostmemberIP: 192.168.56.23
cn: group1
# group2, HostGroups, ldap.example.com
dn: cn=group2,ou=HostGroups,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: authorizedServiceObject
objectClass: top
authorizedService: sshd
hostmemberIP: 192.168.56.22
cn: group2
# users, Group, ldap.example.com
dn: cn=users,ou=Group,dc=ldap,dc=example,dc=com
cn: users
objectClass: posixGroup
objectClass: top
gidNumber: 701
memberUid: abhinav
memberUid: akumar
# admins, Group, ldap.example.com
dn: cn=admins,ou=Group,dc=ldap,dc=example,dc=com
objectClass: posixGroup
objectClass: top
gidNumber: 702
cn: admins
memberUid: abhinavk
# abhinav, People, ldap.example.com
dn: uid=abhinav,ou=People,dc=ldap,dc=example,dc=com
uid: abhinav
cn: abhinav
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 1000
gidNumber: 701
homeDirectory: /home/abhinav
loginShell: /bin/bash
gecos: abhinav
userPassword:: e1NTSEF9NitwODhYZHZnSjliZnJKcElHamdteXhsdUJDSlorNmI=
# akumar, People, ldap.example.com
dn: uid=akumar,ou=People,dc=ldap,dc=example,dc=com
uid: akumar
cn: akumar
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 1001
gidNumber: 701
homeDirectory: /home/akumar
loginShell: /bin/bash
gecos: akumar
userPassword:: e1NTSEF9NVdJdS9yTkIrUlRWelJJMWxHY2UvVzJXNGxmUjYwZ04=
# abhinavk, People, ldap.example.com
dn: uid=abhinavk,ou=People,dc=ldap,dc=example,dc=com
uid: abhinavk
cn: abhinavk
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 1002
gidNumber: 702
homeDirectory: /home/abhinavk
loginShell: /bin/bash
gecos: abhinavk
userPassword:: e1NTSEF9NVdJdS9yTkIrUlRWelJJMWxHY2UvVzJXNGxmUjYwZ04=
# search result
search: 2
result: 0 Success
# numResponses: 16
# numEntries: 15
There can be n number of host groups and m number of user groups.
So is it possible to allow specific user groups to access only specific host groups?**
For example:
the group
cn=admins,ou=Group,dc=ldap,dc=example,dc=comshould be able to access all hosts under hostgroupcn=group1,ou=HostGroups,dc=ldap,dc=example,dc=comand "cn=group2,ou=HostGroups,dc=ldap,dc=example,dc=com"the group
cn=users,ou=Group,dc=ldap,dc=example,dc=comshould only be able to access hosts under hostgroupcn=group1,ou=HostGroups,dc=ldap,dc=example,dc=com.
I tried searching online for help. couldn't find anything helpful.
The above LDAP structure is based on my understanding of this post here.
ldap server and client OS is CentOS 6.x and ldap server version is openldap-servers-2.4.39-8.el6.x86_64
Have been stuck at this since Friday. I am guessing something needs to be done with ACLs in the ldap server and base search url in ldap clients. Really not sure about what exactly needs to be done.
Update to this
Reading this post here, gave me an idea to drop host groups entirely and instead use normal groups for each host types. started from scratch ( but very similar to the structure what's above ) I created a object groupOfMembers ( basically posixGroup with a member field in it ), and started making groups and users part of it.
For example:
# gt1, Group, ldap.example.com
dn: cn=gt1,ou=Group,dc=ldap,dc=example,dc=com
objectClass: posixGroup
objectClass: groupOfMembers
objectClass: top
gidNumber: 703
cn: gt1
member: cn=admins,ou=Group,dc=ldap,dc=example,dc=com
member: cn=user1,ou=People,dc=ldap,dc=example,dc=com
member: cn=users,ou=Group,dc=ldap,dc=example,dc=com
admins and users are another groups with members and user1 is a user account. I also added this to /etc/pam_ldap.conf file on client side:
pam_groupdn cn=gt1,ou=Group,dc=ldap,dc=example,dc=com
pam_member_attribute member
now when i login with user user1, I am able to. but when i try this with other user admin ( part of admins group ) and appuser ( part of users group ), I get this error message:
You must be a member of cn=gt1,ou=Group,dc=ldap,dc=example,dc=com to login.
Is there any way I can use another group's DN in member field of a group and make pam_ldap to work?
ssh openldap
asked Nov 11 '14 at 23:30
AbhinavKAbhinavK
213
bumped to the homepage by Community♦ 5 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
This is my entire test ldap database for now:
# extended LDIF
#
# LDAPv3
# base <dc=ldap,dc=example,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# ldap.example.com
dn: dc=ldap,dc=example,dc=com
dc: ldap
description: Root for Test LDAP server
objectClass: top
objectClass: dcObject
objectClass: organization
o: Test
# People, ldap.example.com
dn: ou=People,dc=ldap,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
description: All people in Test
# Group, ldap.example.com
dn: ou=Group,dc=ldap,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
description: All groups in Test
# Hosts, ldap.example.com
dn: ou=Hosts,dc=ldap,dc=example,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit
description: All hosts in Test
# HostGroups, ldap.example.com
dn: ou=HostGroups,dc=ldap,dc=example,dc=com
ou: HostGroups
objectClass: top
objectClass: organizationalUnit
description: All host groups in Test
# client1, Hosts, ldap.example.com
dn: cn=client1,ou=Hosts,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: ipHost
objectClass: top
cn: client1
ipHostNumber: 192.168.56.21
# client2, Hosts, ldap.example.com
dn: cn=client2,ou=Hosts,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: ipHost
objectClass: top
cn: client2
ipHostNumber: 192.168.56.22
# client3, Hosts, ldap.example.com
dn: cn=client3,ou=Hosts,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: ipHost
objectClass: top
cn: client3
ipHostNumber: 192.168.56.23
# group1, HostGroups, ldap.example.com
dn: cn=group1,ou=HostGroups,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: authorizedServiceObject
objectClass: top
authorizedService: sshd
hostmemberIP: 192.168.56.21
hostmemberIP: 192.168.56.23
cn: group1
# group2, HostGroups, ldap.example.com
dn: cn=group2,ou=HostGroups,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: authorizedServiceObject
objectClass: top
authorizedService: sshd
hostmemberIP: 192.168.56.22
cn: group2
# users, Group, ldap.example.com
dn: cn=users,ou=Group,dc=ldap,dc=example,dc=com
cn: users
objectClass: posixGroup
objectClass: top
gidNumber: 701
memberUid: abhinav
memberUid: akumar
# admins, Group, ldap.example.com
dn: cn=admins,ou=Group,dc=ldap,dc=example,dc=com
objectClass: posixGroup
objectClass: top
gidNumber: 702
cn: admins
memberUid: abhinavk
# abhinav, People, ldap.example.com
dn: uid=abhinav,ou=People,dc=ldap,dc=example,dc=com
uid: abhinav
cn: abhinav
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 1000
gidNumber: 701
homeDirectory: /home/abhinav
loginShell: /bin/bash
gecos: abhinav
userPassword:: e1NTSEF9NitwODhYZHZnSjliZnJKcElHamdteXhsdUJDSlorNmI=
# akumar, People, ldap.example.com
dn: uid=akumar,ou=People,dc=ldap,dc=example,dc=com
uid: akumar
cn: akumar
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 1001
gidNumber: 701
homeDirectory: /home/akumar
loginShell: /bin/bash
gecos: akumar
userPassword:: e1NTSEF9NVdJdS9yTkIrUlRWelJJMWxHY2UvVzJXNGxmUjYwZ04=
# abhinavk, People, ldap.example.com
dn: uid=abhinavk,ou=People,dc=ldap,dc=example,dc=com
uid: abhinavk
cn: abhinavk
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 1002
gidNumber: 702
homeDirectory: /home/abhinavk
loginShell: /bin/bash
gecos: abhinavk
userPassword:: e1NTSEF9NVdJdS9yTkIrUlRWelJJMWxHY2UvVzJXNGxmUjYwZ04=
# search result
search: 2
result: 0 Success
# numResponses: 16
# numEntries: 15
There can be n number of host groups and m number of user groups.
So is it possible to allow specific user groups to access only specific host groups?**
For example:
the group
cn=admins,ou=Group,dc=ldap,dc=example,dc=comshould be able to access all hosts under hostgroupcn=group1,ou=HostGroups,dc=ldap,dc=example,dc=comand "cn=group2,ou=HostGroups,dc=ldap,dc=example,dc=com"the group
cn=users,ou=Group,dc=ldap,dc=example,dc=comshould only be able to access hosts under hostgroupcn=group1,ou=HostGroups,dc=ldap,dc=example,dc=com.
I tried searching online for help. couldn't find anything helpful.
The above LDAP structure is based on my understanding of this post here.
ldap server and client OS is CentOS 6.x and ldap server version is openldap-servers-2.4.39-8.el6.x86_64
Have been stuck at this since Friday. I am guessing something needs to be done with ACLs in the ldap server and base search url in ldap clients. Really not sure about what exactly needs to be done.
Update to this
Reading this post here, gave me an idea to drop host groups entirely and instead use normal groups for each host types. started from scratch ( but very similar to the structure what's above ) I created a object groupOfMembers ( basically posixGroup with a member field in it ), and started making groups and users part of it.
For example:
# gt1, Group, ldap.example.com
dn: cn=gt1,ou=Group,dc=ldap,dc=example,dc=com
objectClass: posixGroup
objectClass: groupOfMembers
objectClass: top
gidNumber: 703
cn: gt1
member: cn=admins,ou=Group,dc=ldap,dc=example,dc=com
member: cn=user1,ou=People,dc=ldap,dc=example,dc=com
member: cn=users,ou=Group,dc=ldap,dc=example,dc=com
admins and users are another groups with members and user1 is a user account. I also added this to /etc/pam_ldap.conf file on client side:
pam_groupdn cn=gt1,ou=Group,dc=ldap,dc=example,dc=com
pam_member_attribute member
now when i login with user user1, I am able to. but when i try this with other user admin ( part of admins group ) and appuser ( part of users group ), I get this error message:
You must be a member of cn=gt1,ou=Group,dc=ldap,dc=example,dc=com to login.
Is there any way I can use another group's DN in member field of a group and make pam_ldap to work?
ssh openldap
asked Nov 11 '14 at 23:30
AbhinavKAbhinavK
213
This is my entire test ldap database for now:
# extended LDIF
#
# LDAPv3
# base <dc=ldap,dc=example,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# ldap.example.com
dn: dc=ldap,dc=example,dc=com
dc: ldap
description: Root for Test LDAP server
objectClass: top
objectClass: dcObject
objectClass: organization
o: Test
# People, ldap.example.com
dn: ou=People,dc=ldap,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
description: All people in Test
# Group, ldap.example.com
dn: ou=Group,dc=ldap,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
description: All groups in Test
# Hosts, ldap.example.com
dn: ou=Hosts,dc=ldap,dc=example,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit
description: All hosts in Test
# HostGroups, ldap.example.com
dn: ou=HostGroups,dc=ldap,dc=example,dc=com
ou: HostGroups
objectClass: top
objectClass: organizationalUnit
description: All host groups in Test
# client1, Hosts, ldap.example.com
dn: cn=client1,ou=Hosts,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: ipHost
objectClass: top
cn: client1
ipHostNumber: 192.168.56.21
# client2, Hosts, ldap.example.com
dn: cn=client2,ou=Hosts,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: ipHost
objectClass: top
cn: client2
ipHostNumber: 192.168.56.22
# client3, Hosts, ldap.example.com
dn: cn=client3,ou=Hosts,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: ipHost
objectClass: top
cn: client3
ipHostNumber: 192.168.56.23
# group1, HostGroups, ldap.example.com
dn: cn=group1,ou=HostGroups,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: authorizedServiceObject
objectClass: top
authorizedService: sshd
hostmemberIP: 192.168.56.21
hostmemberIP: 192.168.56.23
cn: group1
# group2, HostGroups, ldap.example.com
dn: cn=group2,ou=HostGroups,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: authorizedServiceObject
objectClass: top
authorizedService: sshd
hostmemberIP: 192.168.56.22
cn: group2
# users, Group, ldap.example.com
dn: cn=users,ou=Group,dc=ldap,dc=example,dc=com
cn: users
objectClass: posixGroup
objectClass: top
gidNumber: 701
memberUid: abhinav
memberUid: akumar
# admins, Group, ldap.example.com
dn: cn=admins,ou=Group,dc=ldap,dc=example,dc=com
objectClass: posixGroup
objectClass: top
gidNumber: 702
cn: admins
memberUid: abhinavk
# abhinav, People, ldap.example.com
dn: uid=abhinav,ou=People,dc=ldap,dc=example,dc=com
uid: abhinav
cn: abhinav
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 1000
gidNumber: 701
homeDirectory: /home/abhinav
loginShell: /bin/bash
gecos: abhinav
userPassword:: e1NTSEF9NitwODhYZHZnSjliZnJKcElHamdteXhsdUJDSlorNmI=
# akumar, People, ldap.example.com
dn: uid=akumar,ou=People,dc=ldap,dc=example,dc=com
uid: akumar
cn: akumar
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 1001
gidNumber: 701
homeDirectory: /home/akumar
loginShell: /bin/bash
gecos: akumar
userPassword:: e1NTSEF9NVdJdS9yTkIrUlRWelJJMWxHY2UvVzJXNGxmUjYwZ04=
# abhinavk, People, ldap.example.com
dn: uid=abhinavk,ou=People,dc=ldap,dc=example,dc=com
uid: abhinavk
cn: abhinavk
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 1002
gidNumber: 702
homeDirectory: /home/abhinavk
loginShell: /bin/bash
gecos: abhinavk
userPassword:: e1NTSEF9NVdJdS9yTkIrUlRWelJJMWxHY2UvVzJXNGxmUjYwZ04=
# search result
search: 2
result: 0 Success
# numResponses: 16
# numEntries: 15
There can be n number of host groups and m number of user groups.
So is it possible to allow specific user groups to access only specific host groups?**
For example:
the group
cn=admins,ou=Group,dc=ldap,dc=example,dc=comshould be able to access all hosts under hostgroupcn=group1,ou=HostGroups,dc=ldap,dc=example,dc=comand "cn=group2,ou=HostGroups,dc=ldap,dc=example,dc=com"the group
cn=users,ou=Group,dc=ldap,dc=example,dc=comshould only be able to access hosts under hostgroupcn=group1,ou=HostGroups,dc=ldap,dc=example,dc=com.
I tried searching online for help. couldn't find anything helpful.
The above LDAP structure is based on my understanding of this post here.
ldap server and client OS is CentOS 6.x and ldap server version is openldap-servers-2.4.39-8.el6.x86_64
Have been stuck at this since Friday. I am guessing something needs to be done with ACLs in the ldap server and base search url in ldap clients. Really not sure about what exactly needs to be done.
Update to this
Reading this post here, gave me an idea to drop host groups entirely and instead use normal groups for each host types. started from scratch ( but very similar to the structure what's above ) I created a object groupOfMembers ( basically posixGroup with a member field in it ), and started making groups and users part of it.
For example:
# gt1, Group, ldap.example.com
dn: cn=gt1,ou=Group,dc=ldap,dc=example,dc=com
objectClass: posixGroup
objectClass: groupOfMembers
objectClass: top
gidNumber: 703
cn: gt1
member: cn=admins,ou=Group,dc=ldap,dc=example,dc=com
member: cn=user1,ou=People,dc=ldap,dc=example,dc=com
member: cn=users,ou=Group,dc=ldap,dc=example,dc=com
admins and users are another groups with members and user1 is a user account. I also added this to /etc/pam_ldap.conf file on client side:
pam_groupdn cn=gt1,ou=Group,dc=ldap,dc=example,dc=com
pam_member_attribute member
now when i login with user user1, I am able to. but when i try this with other user admin ( part of admins group ) and appuser ( part of users group ), I get this error message:
You must be a member of cn=gt1,ou=Group,dc=ldap,dc=example,dc=com to login.
Is there any way I can use another group's DN in member field of a group and make pam_ldap to work?
ssh openldap
ssh openldap
asked Nov 11 '14 at 23:30
AbhinavKAbhinavK
213
asked Nov 11 '14 at 23:30
AbhinavKAbhinavK
213
edited Nov 16 '14 at 19:00
AbhinavK
asked Nov 11 '14 at 23:30
AbhinavKAbhinavK
213
asked Nov 11 '14 at 23:30
AbhinavKAbhinavK
213
asked Nov 11 '14 at 23:30
AbhinavKAbhinavK
213
213
bumped to the homepage by Community♦ 5 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 5 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The hostgroup mechanism is part of the tcpwrapper structure. That said, tcpwrapper does not know about user logins and only handles pairs of IP hosts and there access rights.
While sshd can use tcpwrapper for host-based access control, these limitations of tcpwrapper are of course inherited.
I have made the experience that simply generating config file snippets from LDAP with a script sometimes is a good solution. There are also other ways to solve this, i.e. you could make nslcd (for libpam-ldapd) on the servers use LDAP fitlers that only allow them to load users of a related group.
answered Nov 12 '14 at 14:09
Dominik GeorgeDominik George
1633
i didn't actually understand the first 2 paragraphs. Can you please give some input on them or any online document which would give more explanation? I guess what you suggested in last para, is what I am trying to do now. But some how things are not working yet. Please let me know if you find something that I am doing wrong or not doing at all.
– AbhinavK
Nov 16 '14 at 19:04
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f643650%2fssh-access-to-hosts-groups-based-on-user-groups-using-ldap%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The hostgroup mechanism is part of the tcpwrapper structure. That said, tcpwrapper does not know about user logins and only handles pairs of IP hosts and there access rights.
While sshd can use tcpwrapper for host-based access control, these limitations of tcpwrapper are of course inherited.
I have made the experience that simply generating config file snippets from LDAP with a script sometimes is a good solution. There are also other ways to solve this, i.e. you could make nslcd (for libpam-ldapd) on the servers use LDAP fitlers that only allow them to load users of a related group.
answered Nov 12 '14 at 14:09
Dominik GeorgeDominik George
1633
i didn't actually understand the first 2 paragraphs. Can you please give some input on them or any online document which would give more explanation? I guess what you suggested in last para, is what I am trying to do now. But some how things are not working yet. Please let me know if you find something that I am doing wrong or not doing at all.
– AbhinavK
Nov 16 '14 at 19:04
add a comment |
The hostgroup mechanism is part of the tcpwrapper structure. That said, tcpwrapper does not know about user logins and only handles pairs of IP hosts and there access rights.
While sshd can use tcpwrapper for host-based access control, these limitations of tcpwrapper are of course inherited.
I have made the experience that simply generating config file snippets from LDAP with a script sometimes is a good solution. There are also other ways to solve this, i.e. you could make nslcd (for libpam-ldapd) on the servers use LDAP fitlers that only allow them to load users of a related group.
answered Nov 12 '14 at 14:09
Dominik GeorgeDominik George
1633
i didn't actually understand the first 2 paragraphs. Can you please give some input on them or any online document which would give more explanation? I guess what you suggested in last para, is what I am trying to do now. But some how things are not working yet. Please let me know if you find something that I am doing wrong or not doing at all.
– AbhinavK
Nov 16 '14 at 19:04
add a comment |
The hostgroup mechanism is part of the tcpwrapper structure. That said, tcpwrapper does not know about user logins and only handles pairs of IP hosts and there access rights.
While sshd can use tcpwrapper for host-based access control, these limitations of tcpwrapper are of course inherited.
I have made the experience that simply generating config file snippets from LDAP with a script sometimes is a good solution. There are also other ways to solve this, i.e. you could make nslcd (for libpam-ldapd) on the servers use LDAP fitlers that only allow them to load users of a related group.
answered Nov 12 '14 at 14:09
Dominik GeorgeDominik George
1633
The hostgroup mechanism is part of the tcpwrapper structure. That said, tcpwrapper does not know about user logins and only handles pairs of IP hosts and there access rights.
While sshd can use tcpwrapper for host-based access control, these limitations of tcpwrapper are of course inherited.
I have made the experience that simply generating config file snippets from LDAP with a script sometimes is a good solution. There are also other ways to solve this, i.e. you could make nslcd (for libpam-ldapd) on the servers use LDAP fitlers that only allow them to load users of a related group.
answered Nov 12 '14 at 14:09
Dominik GeorgeDominik George
1633
answered Nov 12 '14 at 14:09
Dominik GeorgeDominik George
1633
answered Nov 12 '14 at 14:09
Dominik GeorgeDominik George
1633
answered Nov 12 '14 at 14:09
Dominik GeorgeDominik George
1633
1633
i didn't actually understand the first 2 paragraphs. Can you please give some input on them or any online document which would give more explanation? I guess what you suggested in last para, is what I am trying to do now. But some how things are not working yet. Please let me know if you find something that I am doing wrong or not doing at all.
– AbhinavK
Nov 16 '14 at 19:04
add a comment |
i didn't actually understand the first 2 paragraphs. Can you please give some input on them or any online document which would give more explanation? I guess what you suggested in last para, is what I am trying to do now. But some how things are not working yet. Please let me know if you find something that I am doing wrong or not doing at all.
– AbhinavK
Nov 16 '14 at 19:04
i didn't actually understand the first 2 paragraphs. Can you please give some input on them or any online document which would give more explanation? I guess what you suggested in last para, is what I am trying to do now. But some how things are not working yet. Please let me know if you find something that I am doing wrong or not doing at all.
– AbhinavK
Nov 16 '14 at 19:04
i didn't actually understand the first 2 paragraphs. Can you please give some input on them or any online document which would give more explanation? I guess what you suggested in last para, is what I am trying to do now. But some how things are not working yet. Please let me know if you find something that I am doing wrong or not doing at all.
– AbhinavK
Nov 16 '14 at 19:04
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f643650%2fssh-access-to-hosts-groups-based-on-user-groups-using-ldap%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
