Restricting account logins using LDAP and PAM

Solution 1:

PAM has the ability to restrict access based on an access control list (at least on Ubuntu) which, like kubanskamac's answer (+1) regards the groups as posix groups, whether they're stored in LDAP, /etc/group or NIS.

/etc/security/access.conf is the access list file. In my file, I put at the end:

-:ALL EXCEPT root sysadmin (ssh-users):ALL

This denies everyone except root, sysadmin and in the group ssh-users (which is in LDAP) wherever they login from (the second ALL).

Then in my PAM account file (this IS an account module), I add at the very end:

account required

which tells PAM to use this file. It works a treat :-)

Solution 2:

I would simply use

auth required   sense=accept item=group file=/etc/groups.allow onerr=fail

to allow only specific groups (both for local and LDAP groups). This way you don't have to specify anything in ldap.conf.

If you want to keep authorization your way, you shouldn't filter users on "account" pass. I believe you should rather do it on "auth" pass. Secondly, as you can see yourself, pam_unix processes both local and LDAP accounts (at least on the "account" pass), so it seems there is no need for pam_ldap at all.

EDIT: Thirdly, if you insist on having stuff on "account" pass (which I believe could have strange side effects), your sequence should end with: ..., "sufficient pam_ldap", "required pam_localuser", "required pam_unix". I mean, if you have any other modules, move them before pam_ldap - otherwise they would be ignored for LDAP accounts due to "sufficient" clause.