Allow LDAP user login only if they are part of a local OS group

Latest response

Is there way to restrict LDAP users to login only if they are part of a LOCAL OS group ? What are the steps ..

Currently i have an openldap client machine setup to talk to an external openldap server . sssd is configured with a domain to lookup in the external ldap server.

If I have a local OS group on my openldap client machine, say mygroup (gid=5000) .

I have added the following rule in /etc/security/access.conf
-:ALL EXCEPT root (mygroup):ALL

I dont want users from the external ldap servers to login via ssh to my machine if they are not explicitly added to 'mygroup' using gpasswd.

Problem I see that if external ldap server also has a group defined with gid=5000 , then users belonging to that LDAP group are allowed gett in via ssh even though those users are not yet added to the LOCAL os group 'mygroup'.

Thanks in advance


you could use an ldap filter in your sssd.conf to exclude users of your ldap MYGROUP group.

As long as the group exists locally, the nsswitch order will be used to determine group membership and should use local over ldap.

If the group doesn't exist locally, it will fallback to the LDAP one (if it is the second in the lookup in nsswitch. ie. "files sss").

You can use sssd's simple_allow_groups feature to restrict the access based on group.