I'm in the process of setting up our environment to use OpenLDAP for SSH login authentication.

I've got it working in our test environment but it currently allows anyone with an OpenLDAP account to login. I would like to restrict access to servers based on groups.

For example, I'd like to use the existing default structure. If a user is in the dev group, let them in.

cn=dev,ou=Groups,dc=domain,dc=com

I'm pretty new to LDAP so my understanding of how it organizes things is limited. I've seen some guides that recommend a large number of changes to the LDAP structure which I'd like to avoid.

Is there an easy way to implement this?

Well a big thing you (apparently) would benefit from appreciating is the abstraction involved. When you log in, the source of the user account is totally irrelevant. You would not filter against an LDAP group at all, just a group, as listed by the response to the command "getent group" - divide and conquer!

MY preferred way to do this is to add that group requirement to /etc/security/access.conf, but other users would suggest you use the "AllowGroups" directive in /etc/ssh/sshd_config

As far as the LDAP stuff really goes, as long as you do have full posix accounts within LDAP, which you should, then there's really not much else to require, what have you been reading that suggests otherwise?

I've tried using access.conf and users can still login.

Set up as follows:

And I ssh in as my test user, who isn't in "dev", and I get in fine.

I'm running on CentOS 5.3 and I used authconfig to turn on LDAP logins, so perhaps there's some PAM-related stuff not checking the access.conf file.

well naturally you need to get the full login stuff sorted before you can filter. what does "getent group dev" say? Is dev not a system group? Also you would use @dev to signify a group, as without it it just suggests a user. Having said *that* though, that still suggests that access.conf isn't being read right possibly.

Did you enable pam_access?

authconfig has a parameter "--enablepamaccess".

What does your /etc/pam.d/system-auth file look like?

You need to have "account required pam_access.so" in your system-auth

I just get the one line output, showing the contents of the LDAP server. dev isn't a local group. Adding @dev makes no difference in the access.conf file.

The sshd AllowGroups option does in fact work, but it doesn't report to the user that they can't login, it just appears that their password doesn't work. If that's the only option then I'll use it but I'd prefer they be told "login not allowed"!

Didn't do that.

here's my system-auth:

I think you need to add:
right before

Reran authconfig with that option and it puts the account line in place. But now none of the test accounts can login!

I did:

In access.conf.

You don't need "@" for the group

Perfect, exactly what I need! Thanks!

Not come across pam access not being there by default. Checking some examples in the access.conf manpage did still ist @ notation.

As far as informing the user, I think that *IF* it matters there are ways to send data back to the user with some of the less common branching and logic modules that some people have written for PAM. Fundamentally though, security is about not disclosing unnecessary information, so not common to want to deliberately give more information back.

In this case, I didn't want people getting confused thinking their password was wrong. "Connection Refused" is plenty good enough.

I think it's for NIS only. I never used NIS therefore I can't confirm that.

Oh yeah @ is for netgroups, not groups. Sort of NIS, sort of not.