Allow LDAP user login only if they are part of a local OS group

Comments

Is there way to restrict LDAP users to login only if they are part of a LOCAL OS group ? What are the steps ..

Currently i have an openldap client machine setup to talk to an external openldap server . sssd is configured with a domain to lookup in the external ldap server.

If I have a local OS group on my openldap client machine, say mygroup (gid=5000) .

I have added the following rule in /etc/security/access.conf
-:ALL EXCEPT root (mygroup):ALL

I dont want users from the external ldap servers to login via ssh to my machine if they are not explicitly added to 'mygroup' using gpasswd.

Problem I see that if external ldap server also has a group defined with gid=5000 , then users belonging to that LDAP group are allowed gett in via ssh even though those users are not yet added to the LOCAL os group 'mygroup'.

Thanks in advance

Started 2017-10-09T11:29:25+00:00 by

Rajesh Naicken

Newbie 15 points

Select Your Language

Allow LDAP user login only if they are part of a local OS group

Responses

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Responses

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links