엉뚱한 녀석의 블로그 [quirky guy's Blog]

OpenLDAP-Based Central Authentication Architecture (Part 5) — Host-Based Access Control and su Restriction

제공

black K
,

1. Overview

This post explains how to configure host-based access control and su command restrictions in an OpenLDAP-integrated Linux authentication environment.

By applying these controls, you can:

  • Allow specific users to log in only to designated servers, and
  • Prevent general users from switching to root or other privileged accounts using su.

⚠️ Note:
All IP addresses, usernames, hostnames, and domain names are examples.
Modify them according to your organization’s security and infrastructure policies.

2. Architecture Overview

The host-based LDAP authentication flow works as follows:

[User SSH Login]
   ↓
[PAM → nslcd → OpenLDAP]
   ↓
(Check user’s "host" attribute)
   ↓
[Allow login only if hostname matches allowed entries]

Each server is represented by a host object in the LDAP directory,
and users must have a corresponding host attribute assigned in their LDAP entry to be granted login access.

3. LDAP Host Object Structure

Example Directory Tree

dc=example,dc=com
 ├── ou=hosts
 │    ├── cn=app-server01
 │    ├── cn=app-server02
 │    └── cn=db-server01
 └── ou=people
      ├── uid=adminuser
      └── uid=devuser

Each host entry includes the server’s hostname and IP address.

4. Creating Host Entries (on the LDAP Server)

File: /etc/openldap/ldif/host.ldif

dn: ou=hosts,dc=example,dc=com
objectClass: organizationalUnit
ou: hosts

dn: cn=app-server01,ou=hosts,dc=example,dc=com
objectClass: ipHost
objectClass: device
cn: app-server01
ipHostNumber: 192.168.10.11

dn: cn=db-server01,ou=hosts,dc=example,dc=com
objectClass: ipHost
objectClass: device
cn: db-server01
ipHostNumber: 192.168.10.21

Apply the entries:

# ldapadd -x -W -D "cn=manager,dc=example,dc=com" -f /etc/openldap/ldif/host.ldif

5. Adding the host Attribute to User Entries

Using ldapmodify or an LDAP management tool,
add a host attribute to specify which servers a user can access.

Example: allow uid=adminuser to log in only to app-server01.

dn: uid=adminuser,ou=people,dc=example,dc=com
changetype: modify
add: host
host: app-server01

Apply:

# ldapmodify -x -W -D "cn=manager,dc=example,dc=com" -f /etc/openldap/ldif/user_host.ldif

6. Client Configuration — Enabling LDAP Host Control

CentOS / RHEL

Edit /etc/nslcd.conf and add the following line:

pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=*)))

The pam_authz_search directive makes the PAM layer query LDAP for the user’s host attribute.
If the current hostname does not match, authentication is denied.

Update /etc/nsswitch.conf:

hosts: files dns myhostname ldap

Restart services:

# systemctl restart nslcd
# systemctl restart nscd

7. Test Scenarios

ScenarioExpected Result
uid=adminuser logs in to app-server01✅ Login succeeds
Same user tries db-server01❌ Access denied
uid=devuser (no host attribute) logs in❌ Authentication denied

8. Restricting su Command Usage

To prevent unauthorized su transitions after LDAP authentication,
update the PAM configuration file.

Edit /etc/pam.d/su and enable:

auth       required   pam_wheel.so use_uid

Allow only members of the wheel group to use su:

# usermod -aG wheel adminuser

Other users (devuser, qauser, etc.) will be denied su access.

9. Additional SSH Restrictions (Optional)

You can further limit SSH access by IP address using the SSH daemon configuration.

In /etc/ssh/sshd_config:

AllowUsers adminuser@192.168.10.50
AllowUsers svcbackup@10.20.0.*

Restart SSH:

# systemctl restart sshd

SSH-level restrictions take precedence over LDAP host control.
LDAP policies manage access per user, while SSH policies reinforce security per network.

10. Log Verification

If LDAP host access control isn’t working as expected,
check the following logs for troubleshooting:

Log TypeFile Path
LDAP authentication logs/var/log/secure or /var/log/auth.log
nslcd connection logs/var/log/messages
SSH access attempts/var/log/secure
su denial eventsauditd logs or /var/log/secure

11. Conclusion

This configuration provides:

  • LDAP-based Host Access Control — restrict user SSH logins by hostname
  • su Security Enforcement — limit root transitions to wheel group members only
  • Complementary SSH Policy — combine LDAP and IP-based restrictions
  • Unified Access Governance — consolidate authentication, authorization, and auditing in OpenLDAP

With this, the OpenLDAP security architecture now fully enforces
server-level access and account transition control for production environments.

ⓒ 2025 엉뚱한 녀석의 블로그 [quirky guy's Blog]. 본문 및 이미지를 무단 복제·배포할 수 없습니다. 공유 시 반드시 원문 링크를 명시해 주세요.
ⓒ 2025 엉뚱한 녀석의 블로그 [quirky guy's Blog]. All rights reserved. Unauthorized copying or redistribution of the text and images is prohibited. When sharing, please include the original source link.

🛠 마지막 수정일: 2025.10.25

코멘트

답글 남기기