Linux system login: How to use /etc/passwd to filter user name again ldap

Linux system login: How to use /etc/passwd to filter user name again ldap

0

I'm working for an university. I can access the University LDAP server but can't modify anything (it's readonly to me). I have several Linux machines, I want to config all the machines to authenticate via the university LDAP. (that's pretty easy, right?). Problems are:

Only a subset of LDAP users are allow to log in to the machine, (I know it can be done via LDAP group or additional LDAP attribute, but I can't modify anything in the university LDAP) Some users may not be in the LDAP but have accounts on the machine My thought is: use the /etc/passwd as the user-list: if (a user is NOT in the list) { he can't log in, } else { if(he is in LDAP) { check his password again the university LDAP } else { check his password againt /etc/shadow } }

Is there any solution? Any help appreciated.

zfsu

Posted 2013-09-26T16:56:34.720

Reputation: 3

Answers

0

For allowing only a subset of LDAP users to login:

If you have a way to filter them without modifying the LDAP server, then you can add the filter to your /etc/nslcd.conf file, e.g.:
```
filter passwd (objectClass=localAccount)
```
Otherwise, you'll have to allow all LDAP users as local users and grant permissions just to the ones that you want, e.g., by changing /etc/security/access.conf and/or /etc/ssh/sshd_config.

For having additional local users, on top of those from the LDAP server, you'll need your /etc/nsswitch.conf file to contain something like:

passwd: files [unavail=return] ldap
group:  files [unavail=return] ldap
shadow: files ldap

I hope I'm not forgetting something...

nickie

Posted 2013-09-26T16:56:34.720

Reputation: 322

Asked: 2013-09-26T16:56:34.720

Viewed: 1 762 times

Active: 2013-09-26T20:08:54.100