🧭 Looking for related posts? Search for “OpenLDAP-Based Central
Authentication Architecture” in the search bar
1. Overview
This post explains how to configure host-based access control and su command restrictions in an OpenLDAP-integrated Linux authentication environment.
By applying these controls, you can:
- Allow specific users to log in only to designated servers, and
- Prevent general users from switching to root or other privileged accounts using
su.
⚠️ Note:
All IP addresses, usernames, hostnames, and domain names are examples.
Modify them according to your organization’s security and infrastructure policies.
2. Architecture Overview
The host-based LDAP authentication flow works as follows:
[User SSH Login]
↓
[PAM → nslcd → OpenLDAP]
↓
(Check user’s "host" attribute)
↓
[Allow login only if hostname matches allowed entries]
Each server is represented by a host object in the LDAP directory,
and users must have a corresponding host attribute assigned in their LDAP entry to be granted login access.
3. LDAP Host Object Structure
Example Directory Tree
dc=example,dc=com
├── ou=hosts
│ ├── cn=app-server01
│ ├── cn=app-server02
│ └── cn=db-server01
└── ou=people
├── uid=adminuser
└── uid=devuser
Each host entry includes the server’s hostname and IP address.
4. Creating Host Entries (on the LDAP Server)
File: /etc/openldap/ldif/host.ldif
dn: ou=hosts,dc=example,dc=com
objectClass: organizationalUnit
ou: hosts
dn: cn=app-server01,ou=hosts,dc=example,dc=com
objectClass: ipHost
objectClass: device
cn: app-server01
ipHostNumber: 192.168.10.11
dn: cn=db-server01,ou=hosts,dc=example,dc=com
objectClass: ipHost
objectClass: device
cn: db-server01
ipHostNumber: 192.168.10.21
Apply the entries:
# ldapadd -x -W -D "cn=manager,dc=example,dc=com" -f /etc/openldap/ldif/host.ldif
5. Adding the host Attribute to User Entries
Using ldapmodify or an LDAP management tool,
add a host attribute to specify which servers a user can access.
Example: allow uid=adminuser to log in only to app-server01.
dn: uid=adminuser,ou=people,dc=example,dc=com
changetype: modify
add: host
host: app-server01
Apply:
# ldapmodify -x -W -D "cn=manager,dc=example,dc=com" -f /etc/openldap/ldif/user_host.ldif
6. Client Configuration — Enabling LDAP Host Control
CentOS / RHEL
Edit /etc/nslcd.conf and add the following line:
pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=*)))
The
pam_authz_searchdirective makes the PAM layer query LDAP for the user’shostattribute.
If the current hostname does not match, authentication is denied.
Update /etc/nsswitch.conf:
hosts: files dns myhostname ldap
Restart services:
# systemctl restart nslcd
# systemctl restart nscd
7. Test Scenarios
| Scenario | Expected Result |
|---|---|
uid=adminuser logs in to app-server01 | ✅ Login succeeds |
Same user tries db-server01 | ❌ Access denied |
uid=devuser (no host attribute) logs in | ❌ Authentication denied |
8. Restricting su Command Usage
To prevent unauthorized su transitions after LDAP authentication,
update the PAM configuration file.
Edit /etc/pam.d/su and enable:
auth required pam_wheel.so use_uid
Allow only members of the wheel group to use su:
# usermod -aG wheel adminuser
Other users (devuser, qauser, etc.) will be denied su access.
9. Additional SSH Restrictions (Optional)
You can further limit SSH access by IP address using the SSH daemon configuration.
In /etc/ssh/sshd_config:
AllowUsers adminuser@192.168.10.50
AllowUsers svcbackup@10.20.0.*
Restart SSH:
# systemctl restart sshd
SSH-level restrictions take precedence over LDAP host control.
LDAP policies manage access per user, while SSH policies reinforce security per network.
10. Log Verification
If LDAP host access control isn’t working as expected,
check the following logs for troubleshooting:
| Log Type | File Path |
|---|---|
| LDAP authentication logs | /var/log/secure or /var/log/auth.log |
| nslcd connection logs | /var/log/messages |
| SSH access attempts | /var/log/secure |
| su denial events | auditd logs or /var/log/secure |
11. Conclusion
This configuration provides:
- LDAP-based Host Access Control — restrict user SSH logins by hostname
suSecurity Enforcement — limit root transitions to wheel group members only- Complementary SSH Policy — combine LDAP and IP-based restrictions
- Unified Access Governance — consolidate authentication, authorization, and auditing in OpenLDAP
With this, the OpenLDAP security architecture now fully enforces
server-level access and account transition control for production environments.
🛠 마지막 수정일: 2025.11.13
ⓒ 2025 엉뚱한 녀석의 블로그 [quirky guy's Blog]. All rights reserved. Unauthorized copying or redistribution of the text and images is prohibited. When sharing, please include the original source link.
💡 도움이 필요하신가요?
Zabbix, Kubernetes, 그리고 다양한 오픈소스 인프라 환경에 대한 구축, 운영, 최적화, 장애 분석,
광고 및 협업 제안이 필요하다면 언제든 편하게 연락 주세요.
📧 Contact: jikimy75@gmail.com
💼 Service: 구축 대행 | 성능 튜닝 | 장애 분석 컨설팅
📖 E-BooK [PDF] 전자책 (Gumroad):
Zabbix 엔터프라이즈 최적화 핸드북
블로그에서 다룬 Zabbix 관련 글들을 기반으로 실무 중심의 지침서로 재구성했습니다.
운영 환경에서 바로 적용할 수 있는 최적화·트러블슈팅 노하우까지 모두 포함되어 있습니다.
💡 Need Professional Support?
If you need deployment, optimization, or troubleshooting support for Zabbix, Kubernetes,
or any other open-source infrastructure in your production environment, or if you are interested in
sponsorships, ads, or technical collaboration, feel free to contact me anytime.
📧 Email: jikimy75@gmail.com
💼 Services: Deployment Support | Performance Tuning | Incident Analysis Consulting
📖 PDF eBook (Gumroad):
Zabbix Enterprise Optimization Handbook
A single, production-ready PDF that compiles my in-depth Zabbix and Kubernetes monitoring guides.
답글 남기기
댓글을 달기 위해서는 로그인해야합니다.