In a nutshell, I want to authenticate users of a Ubuntu 10.04 Server against a Mac OS X Server's OpenDirectory LDAP but ONLY allow them access if they are a member of a group on the LDAP side.
Using some guides and previous experience, I am able to get it to get the authentication part working - that part's simple:
$ sudo apt-get install libpam-ldap libnss-ldap nss-updatedb
and enter the LDAP URI, search base, etc as prompted.
At that point, I'm able to see the users / groups on the OpenDirectory LDAP server
# getent passwd
# getent group
And I can even ssh to the box as ANY of the users
The problem is -- I can't figure out how to restrict access to only a certain group of users (e.g. testssh)
Using this guide, I made the following changes to the /etc/ldap.conf file:
pam_groupdn cn=testssh,cn=groups,dc=myserver,dc=mycompany,dc=net
pam_member_attribute uniquemember
Hopefully someone has solved this issue and I am just missing something obvious!
Take a look at
/etc/security/access.conf. Changes to this file will affect anything that uses pam and the pam_access module, and permits you to restrict login by group membership.You can check group membership with '
getent group <group name>'I've no Mac but this is how I do and I think you can do the same.
put on your sshd_config on the mac:
it will allow only the users in testssh LDAP group