ldap user/group mapping with access control

Question

We are trying to centralize our user base in our environment with Rhel6 Servers by mapping our users/groups to ldap server. I know how to do that but there is are some limitations that I need to take into account. I have a hadoop cluster with a gateway node and other working nodes (master and slave nodes) . I want all the users to login to gateway node and all other nodes by using ldap user and password information instead of local database (/etc/passwd ) but at the same time want to restrict the users to login to the other nodes except the gateway node. It might be very simple issue but I can't seem to think a possible resolution to this scenario. If anyone else has exercised the same scenario , a little hint in this direction would be a big help. Thanks for reading the post.

Answer 1

There are severals ways you can address this:

• Don't address this using changing the LDAP setup, instead use a different SSH configuration on the gateway host. If you put the users who are allowed in to login to any host to a different group, then you could use the AllowGroups configuration option of the SSH daemon to restrict access.
• Another option - assuming that you used authconfig on RHEL 6 to map your users/groups to an LDAP server - is to use the PAM LDAP module instead of authconfig (package name pam_ldap). PAM LDAP has a few options that you could leverage. One is the pam_filter - which could be used to select a subset of users - to login to the gateway host. Another is pam_groupdn which you could use to allow only those users who belong to a particular LDAP group.
• Of course, you could keep using authconfig and specify a different base DN on the gateway host. But this would require you to have some of the users to be present in two different parts of the directory tree. This is probably the easiest, but the least desirable way of solving the issue.
• The last option I can think of is adding source host/IP based access control to your LDAP server. This way the LDAP server would grant access to one set of users/groups if the host is the gateway server and a different set if the requesting host is not the gateway server.

I hope this helps.