how to control ldap users access using groupdn?

Question

I am using openldap, nslcd and nss-pam-ldapd. I want to restrict users login to ldap client. I have configured this in CentOS 6.5 without any problem using groupdn. but in CentOS 7, there is no pam_ldap.conf file. I tried to do it by adding the following line in nslcd.conf:

filter passwd (memberOf=cn=groupname,ou=groups,dc=example,dc=com)

but it doesn't let anyone to login even if he is a member of the group. How can I solve this problem?

I installed sssd and configured it as follows but still everyone can login even if he is not a member of the mentioned group. and when I try to login, no log is written in the sssd.log and /var/log/messages. I can just check nslcd log using nslcd -d. sssd.conf:

[sssd]
config_file_version = 2
services = nss, pam
domains =example.com
debug_level = 10
[nss]
[pam]
[domain/example.com]
ad_server= app.example.com
ad_domain= example.com
sssd-ldap = app.example.com
ldap_access_order = filter, expire
ldap_access_filter = (memberOf=cn=groupname,ou=groups,dc=app,dc=example,dc=com)
ldap_schema = rfc2307bis
ldap_group_member = uniqueMember
ldap_search_base = dc=app,dc=example,dc=com
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_uri = ldap://app.example.com/

Answer 1

You should use SSSD and configure it to use LDAP instead of working with PAM directly.

Then you can use the following in the SSSD domain configuration:

access_provider = simple
simple_allow_groups = groupname

which is a very basic way to limit users, but you could also use access_provider=ldap and then use much more advanced LDAP queries to control access.

See man sssd and man sssd-ldap.