Re: Limiting users to login to specific hosts only

Alexander Skwar wrote:

Hello.

I'm trying to setup an OpenLDAP 2.3.31 server, which will be used
to store authentication details for Unix users. As of right now, the
only client machine is a Gentoo Linux system, which uses nss_ldap-254
and pam_ldap-183. OpenLDAP server is a Solaris 10 machine.

To get things to work, I tried to follow the guide on <http://linsec.ca/bin/view/Main/OpenLDAPAuth#Host-based_Authentication>.
As I don't want any user to be able to logon everywhere, I'm trying
to setup what's called "Host-based Authentication" on that webpage.
it says to add the following to /etc/ldap.conf:

pam_check_host_attr yes
pam_filter |(host=this.host.com)(host=\*)

I replaced "this.host.com" with the some non-existant name to
see, what happens. To my surprise, I was able to login using "su".
So I changed the pam_filter line to:

pam_filter (host=this.does.not.exist)

I was still able to login using su. I guess I'm not understanding
something correctly here.

man pam_ldap has:

        pam_filter <filter>
               Specifies a filter to use when retrieving user information.  The
               user   entry   must  match  the  attribute  value  assertion  of
               (pam_login_attribute=login_name) as well as any filter specified
               here. There is no default for this option.

So, if I understand this correctly, a login should only be
possible, if the user object in the LDAP server has an
attribute "host" with the value set to "this.does.not.exist".
Or does this mean something else? If it doesn't, then why
does this not work for me?

I also don't understand, why login works in the first place... In
my ldap.conf, I've enabled "pam_check_host_attr". The man page has this to say:

        pam_check_host_attr <yes|no>
               Specifies whether the "host" attribute  should  be  checked  for
               logon authorization ("account" in the PAM stack). The default is
               not to.  If set to "yes" and a user has no value for the  "host"
               attribute, then the user will be unable to login.

This user does NOT have a host attribute. Why is he able to login?

askwar@winnb000488 ~ $ grep -v ^\# < /etc/ldap.conf | grep -v ^\$
host 10.0.1.26
base ou=Prj,o=Cmp
rootbinddn cn=Admin,ou=Prj,o=Cmp
scope one
pam_filter host=this.host.com
pam_login_attribute uid
pam_check_host_attr yes
pam_member_attribute gid
nss_base_passwd ou=People,ou=Prj,o=Cmp?one
nss_base_shadow ou=People,ou=Prj,o=Cmp?one
nss_base_group          ou=Group,ou=Prj,o=Cmp?one
nss_base_hosts          ou=Hosts,ou=Prj,o=Cmp?one
nss_base_services       ou=Services,ou=Prj,o=Cmp?one
nss_base_networks       ou=Networks,ou=Prj,o=Cmp?one
nss_base_protocols      ou=Protocols,ou=Prj,o=Cmp?one
nss_base_rpc            ou=Rpc,ou=Prj,o=Cmp?one
nss_base_ethers ou=Ethers,ou=Prj,o=Cmp?one
nss_base_netmasks       ou=Networks,ou=Prj,o=Cmp?one
nss_base_bootparams     ou=Ethers,ou=Prj,o=Cmp?one
nss_base_aliases        ou=Aliases,ou=Prj,o=Cmp?one
nss_base_netgroup       ou=Netgroup,ou=Prj,o=Cmp?one
nss_reconnect_tries 4                   # number of times to double the sleep time
nss_reconnect_sleeptime 1               # initial sleep value
nss_reconnect_maxsleeptime 16   # max sleep value to cap at
nss_reconnect_maxconntries 2    # how many tries before sleeping
pam_password md5

askwar@winnb000488 ~ $ grep -v ^\# < /etc/pam.d/su | grep -v ^\$
auth       sufficient   pam_rootok.so
auth       required     pam_wheel.so use_uid
auth       include              system-auth
account    include              system-auth
password   include              system-auth
session    include              system-auth
session    required     pam_env.so
session    optional             pam_xauth.so

askwar@winnb000488 ~ $ grep -v ^\# < /etc/pam.d/system-auth | grep -v ^\$
auth       required     pam_env.so
auth       sufficient   pam_unix.so try_first_pass likeauth nullok
auth       sufficient   pam_ldap.so use_first_pass
auth       required     pam_deny.so
account    required     pam_unix.so
account    sufficient   pam_ldap.so
password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow
password   sufficient   pam_ldap.so use_authtok
password   required     pam_deny.so
session    required     pam_limits.so
session    required     pam_unix.so
session    optional     pam_ldap.so

User object, as LDIF:

version: 1

# LDIF Export von: uid=askwar3,ou=People,ou=RACE,o=Rieter
# Erstellt von phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) am April 5, 2007 11:09 am
# Server: RACE LDAP Server (winds06)
# Suchbereich: base
# Suchfilter: (objectClass=*)
# Anzahl der Eintraege: 1

dn: uid=askwar3,ou=People,ou=Prj,o=Cmp
cn: Alexander Skwar
gecos: Alexander Skwar,alexander.skwar@
gidNumber: 10
givenName: Alexander
loginShell: /opt/csw/bin/bash
mail: askwar@win.ch.da.rtr
mailHost: mail1.
mailRoutingAddress: askwar@mail1.
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
roomNumber: alexander.skwar@
shadowLastChange: 13503
sn: Skwar
uid: askwar3
userPassword: {crypt}cd9HX834QkpsA
homeDirectory: /home/askwar3
uidNumber: 33000

Alexander Skwar