A few of my machines authenticate to my central LDAP server and allow LDAP users to log in. However, I don’t want every user in LDAP to be able to log into every single one of those machines; rather, I would like to make a posix group in LDAP and when I put a user in that group, they will get access to the given host. This guide will describe how to accomplish this task using PAM.

\Limit on the Machine itself
This method will allow you to tell PAM (using the access module) exactly what users (or groups) you want to allow to log into that specific machine.

1) Edit the /etc/security/access.conf file
Add a line similar to below:

disallow all except people in the server2 group, root, and bob -:ALL EXCEPT root bob server2:ALL EXCEPT LOCAL

Or look through the examples and tailor one to your liking. This file is the end all for which people to allow onto your system.
NOTE: ONLY the people in this file will be able to log in to the system remotely!

2) Add the following line to your “/etc/pam.d/common-auth” file:

auth required pam_access.so

The above tells PAM to read the access.conf file we just edited and follow accordingly.

3) Test it! In our example, we would use a user not in the server2 group but somewhere else in ldap. I would also ensure that users who are in the server2 group can sign in as well. Keep in mind that these groups are posixGroup’s not OU’s in ldap!

\Define the hosts a user can log into via LDAP

As I have not actually done this step, I am not going to cover exactly how to do it but there is an excellent tutorial on this @ the Debian wiki.

It basically involves using the “host” attribute available in LDAP to define what hosts a user can log into.

Another great resource about host based auth is here at the Ubuntu doc site!

Mario Loria is a builder of diverse infrastructure with modern workloads on both bare-metal and cloud platforms. He's traversed roles in system administration, network engineering, and DevOps. You can learn more about him here.