3

This is my entire test ldap database for now:

# extended LDIF # # LDAPv3 # base <dc=ldap,dc=example,dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # ldap.example.com dn: dc=ldap,dc=example,dc=com dc: ldap description: Root for Test LDAP server objectClass: top objectClass: dcObject objectClass: organization o: Test # People, ldap.example.com dn: ou=People,dc=ldap,dc=example,dc=com ou: People objectClass: top objectClass: organizationalUnit description: All people in Test # Group, ldap.example.com dn: ou=Group,dc=ldap,dc=example,dc=com ou: Group objectClass: top objectClass: organizationalUnit description: All groups in Test # Hosts, ldap.example.com dn: ou=Hosts,dc=ldap,dc=example,dc=com ou: Hosts objectClass: top objectClass: organizationalUnit description: All hosts in Test # HostGroups, ldap.example.com dn: ou=HostGroups,dc=ldap,dc=example,dc=com ou: HostGroups objectClass: top objectClass: organizationalUnit description: All host groups in Test # client1, Hosts, ldap.example.com dn: cn=client1,ou=Hosts,dc=ldap,dc=example,dc=com objectClass: hostGroup objectClass: ipHost objectClass: top cn: client1 ipHostNumber: 192.168.56.21 # client2, Hosts, ldap.example.com dn: cn=client2,ou=Hosts,dc=ldap,dc=example,dc=com objectClass: hostGroup objectClass: ipHost objectClass: top cn: client2 ipHostNumber: 192.168.56.22 # client3, Hosts, ldap.example.com dn: cn=client3,ou=Hosts,dc=ldap,dc=example,dc=com objectClass: hostGroup objectClass: ipHost objectClass: top cn: client3 ipHostNumber: 192.168.56.23 # group1, HostGroups, ldap.example.com dn: cn=group1,ou=HostGroups,dc=ldap,dc=example,dc=com objectClass: hostGroup objectClass: authorizedServiceObject objectClass: top authorizedService: sshd hostmemberIP: 192.168.56.21 hostmemberIP: 192.168.56.23 cn: group1 # group2, HostGroups, ldap.example.com dn: cn=group2,ou=HostGroups,dc=ldap,dc=example,dc=com objectClass: hostGroup objectClass: authorizedServiceObject objectClass: top authorizedService: sshd hostmemberIP: 192.168.56.22 cn: group2 # users, Group, ldap.example.com dn: cn=users,ou=Group,dc=ldap,dc=example,dc=com cn: users objectClass: posixGroup objectClass: top gidNumber: 701 memberUid: abhinav memberUid: akumar # admins, Group, ldap.example.com dn: cn=admins,ou=Group,dc=ldap,dc=example,dc=com objectClass: posixGroup objectClass: top gidNumber: 702 cn: admins memberUid: abhinavk # abhinav, People, ldap.example.com dn: uid=abhinav,ou=People,dc=ldap,dc=example,dc=com uid: abhinav cn: abhinav objectClass: account objectClass: posixAccount objectClass: top uidNumber: 1000 gidNumber: 701 homeDirectory: /home/abhinav loginShell: /bin/bash gecos: abhinav userPassword:: e1NTSEF9NitwODhYZHZnSjliZnJKcElHamdteXhsdUJDSlorNmI= # akumar, People, ldap.example.com dn: uid=akumar,ou=People,dc=ldap,dc=example,dc=com uid: akumar cn: akumar objectClass: account objectClass: posixAccount objectClass: top uidNumber: 1001 gidNumber: 701 homeDirectory: /home/akumar loginShell: /bin/bash gecos: akumar userPassword:: e1NTSEF9NVdJdS9yTkIrUlRWelJJMWxHY2UvVzJXNGxmUjYwZ04= # abhinavk, People, ldap.example.com dn: uid=abhinavk,ou=People,dc=ldap,dc=example,dc=com uid: abhinavk cn: abhinavk objectClass: account objectClass: posixAccount objectClass: top uidNumber: 1002 gidNumber: 702 homeDirectory: /home/abhinavk loginShell: /bin/bash gecos: abhinavk userPassword:: e1NTSEF9NVdJdS9yTkIrUlRWelJJMWxHY2UvVzJXNGxmUjYwZ04= # search result search: 2 result: 0 Success # numResponses: 16 # numEntries: 15

There can be n number of host groups and m number of user groups.

So is it possible to allow specific user groups to access only specific host groups?**

For example:

  • the group cn=admins,ou=Group,dc=ldap,dc=example,dc=com should be able to access all hosts under hostgroup cn=group1,ou=HostGroups,dc=ldap,dc=example,dc=com and "cn=group2,ou=HostGroups,dc=ldap,dc=example,dc=com"

  • the group cn=users,ou=Group,dc=ldap,dc=example,dc=com should only be able to access hosts under hostgroup cn=group1,ou=HostGroups,dc=ldap,dc=example,dc=com.

I tried searching online for help. couldn't find anything helpful.

The above LDAP structure is based on my understanding of this post here.

ldap server and client OS is CentOS 6.x and ldap server version is openldap-servers-2.4.39-8.el6.x86_64

Have been stuck at this since Friday. I am guessing something needs to be done with ACLs in the ldap server and base search url in ldap clients. Really not sure about what exactly needs to be done.

Update to this

Reading this post here, gave me an idea to drop host groups entirely and instead use normal groups for each host types. started from scratch ( but very similar to the structure what's above ) I created a object groupOfMembers ( basically posixGroup with a member field in it ), and started making groups and users part of it.

For example:

# gt1, Group, ldap.example.com dn: cn=gt1,ou=Group,dc=ldap,dc=example,dc=com objectClass: posixGroup objectClass: groupOfMembers objectClass: top gidNumber: 703 cn: gt1 member: cn=admins,ou=Group,dc=ldap,dc=example,dc=com member: cn=user1,ou=People,dc=ldap,dc=example,dc=com member: cn=users,ou=Group,dc=ldap,dc=example,dc=com

admins and users are another groups with members and user1 is a user account. I also added this to /etc/pam_ldap.conf file on client side:

pam_groupdn cn=gt1,ou=Group,dc=ldap,dc=example,dc=com pam_member_attribute member

now when i login with user user1, I am able to. but when i try this with other user admin ( part of admins group ) and appuser ( part of users group ), I get this error message:

You must be a member of cn=gt1,ou=Group,dc=ldap,dc=example,dc=com to login.

Is there any way I can use another group's DN in member field of a group and make pam_ldap to work?

Improve this question

1 Answer 1

Reset to default
0

The hostgroup mechanism is part of the tcpwrapper structure. That said, tcpwrapper does not know about user logins and only handles pairs of IP hosts and there access rights.

While sshd can use tcpwrapper for host-based access control, these limitations of tcpwrapper are of course inherited.

I have made the experience that simply generating config file snippets from LDAP with a script sometimes is a good solution. There are also other ways to solve this, i.e. you could make nslcd (for libpam-ldapd) on the servers use LDAP fitlers that only allow them to load users of a related group.

Improve this answer
1
  • i didn't actually understand the first 2 paragraphs. Can you please give some input on them or any online document which would give more explanation? I guess what you suggested in last para, is what I am trying to do now. But some how things are not working yet. Please let me know if you find something that I am doing wrong or not doing at all. Commented Nov 16, 2014 at 19:04

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.