I have several linux servers (ubuntu 12.04) setup to authenticate user logins over an external (to my branch office) LDAP (Novell Edirectory specifically). This is working well, however I am trying to filter user logins by membership in an LDAP group.

A user account looks like this in Edir:

dn: cn=mmcloud,ou=eng,o=lsi
loginShell: /bin/bash
homeDirectory: /home/mmcloud
gidNumber: 2001
uidNumber: 9418
mail: xxxxxx@xxxxxxxxx
uid: mmcloud
initials: Q
givenName: Moran
sn: McCloud
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ndsLoginProperties
objectClass: Person
objectClass: Top
objectClass: posixAccount
eMailAddress: 7#xxxxx@xxxxxxxxxxxx
cn: mmcloud

A group entry looks like this in Edir:

dn: cn=shellacct,ou=groups,ou=eng,o=lsi
memberUid: jbarlin
memberUid: mmccloud
memberUid: ssemryn
memberUid: cdesmon
gidNumber: 2009
objectClass: groupOfNames
objectClass: Top
objectClass: posixGroup

I only want users in the shellacct group to login. I've found many examples using pam_filter in /etc/ldap.conf but have only gotten the filter to work by filtering on specific userDn attributes such as:

 pam_filter                  &(objectclass=user)
 pam_filter                  &(objectclass=Person)
 pam_filter                  &(loginShell=/bin/bash)

What I want is to filter on the group membership. The groupDn is cn=shellacct,ou=groups,ou=eng,o=lsi (gid=2009). I've tried in /etc/ldap.conf:

 pam_filter                  &(objectclass=posixAccount)(|(gidNumber=2009))
 pam_filter                  |(member=cn=shellacct,ou=groups,ou=eng,o=lsi)
 pam_filter                  |(memberUid=cn=shellacct,ou=groups,ou=eng,o=lsi)

Will pam_filter work for what I want to do or does it only look at the userDn for filtering?

Server Fault
  • 3,454
  • 7
  • 48
  • 88
  • What PAM module are you using for auth? – jlehtinen Feb 20 '15 at 15:16
  • As far as I know, the the module used by pam for LDAP is the pam_ldap module. – Server Fault Feb 20 '15 at 15:24
  • This is not an answer to your question but you might want to look into SSSD to replace `libpam-ldap` (which you are using) altogether. It is much more comfortable to use, featureful and documented, and the SSSD version in Ubuntu 12.04 works very well. – daff Feb 21 '15 at 18:20

3 Answers3


PAM module pam_succeed_if.so seems to be ideal for this. In fact I use it this way on a multitude of my servers. A sample configuration from Ubuntu 14.04 authorizing to MS AD domain, from /etc/pam.d/common-account:

account         sufficient              pam_unix.so
account         requisite               pam_ldap.so
account         sufficient              pam_succeed_if.so user ingroup unix-admins
account         sufficient              pam_succeed_if.so user ingroup auth-$hostname
account         requisite               pam_deny.so

Substitute server name for $hostname. Being a member of unix-admins or auth-$hostname grants access.

Also consider using nslcd (0.9+), as it recognizes nested (indirect) group membership.

  • 2,053
  • 1
  • 12
  • 15

You might be able to use the pam_groupdn option in /etc/ldap.conf to get where you want to go. I've used pam_check_host_attr for a similar purpose in the past and it's worked exactly as I wanted (i.e. the LDAP entry had to have a host attribute with the hostname you're trying to log in to as the value).

  • 8,920
  • 1
  • 28
  • 34
  • You may need to modify/tweak `pam_member_attribute` to get this to work. At least, it looks that way to me. – John Feb 20 '15 at 15:25
  • I see that note about `pam_member_attribute` in the man page. Right now, specifying `pam_groupdn cn=shellacct,ou=groups,ou=eng,o=lsi` does not work. I can change `shellacct` to `shellacct11` in `ldap.conf` and mmcloud can still ssh in. – Server Fault Feb 20 '15 at 15:30

Just wanted to leave this here for anyone else looking for this sort of thing. Have a look into /etc/security/access.conf. It recognizes users/groups/local/LDAP. This is what I ended up doing. It's a nice one-stop-shop for ACLs.

You will need to enable pam_access.conf in various files in /etc/pam.d/

Do be aware of system updates re-setting these edits. Not sure how to work around that one. maybe the mention of pam_succeed above would be a better place for it.

# grep access /etc/pam.d/*
/etc/pam.d/login:# Uncomment and edit /etc/security/access.conf if you need to
/etc/pam.d/login:account required pam_access.so
/etc/pam.d/sshd:# Uncomment and edit /etc/security/access.conf if you need to set complex
/etc/pam.d/sshd:account required pam_access.so

example access.conf:

# allow root from the backup system
+ : root :
# allow root from cron, serial port and tty consoles
+ : root : cron crond :0 ttyS0 tty1 tty2 tty3 tty4 tty5 tty6
# allow ldapusers on subnet
+ : ldapuser4 ldapuser1 ldapuser7:
# allow users in ldap posixGroup on subnet
+ : ldapssh :
# allow everyone in the localhost sftponly group from anywhere
+ : sftponly : ALL
# drop everyone else from anywhere
- : ALL : ALL
Server Fault
  • 3,454
  • 7
  • 48
  • 88