Merge "Update deny access procedure for WAD users to use pam configuration"
This commit is contained in:
Zuul
Gerrit Code Review
commit
d580140e8d
@ -8,9 +8,10 @@ Add LDAP Users to Linux Groups Using PAM Configuration
|
||||
======================================================
|
||||
|
||||
The Linux pam_group module enables binding/mapping of |LDAP| users/groups to a
|
||||
specified list of one or more Linux groups. The mapping will occur after the
|
||||
|SSSD| service has discovered the |LDAP| users and groups and cached them on the
|
||||
host.
|
||||
specified list of one or more Linux groups. The mapping allows Linux
|
||||
capabilities (via the Linux groups) to be assigned to the |LDAP| users/groups.
|
||||
The mapping will occur after the |SSSD| service has discovered the |LDAP| users
|
||||
and groups and cached them on the host.
|
||||
|
||||
The mapping between the discovered |LDAP| users and their group membership to the
|
||||
local Linux groups works for all Linux groups, including system groups, such as
|
||||
@ -18,8 +19,9 @@ local Linux groups works for all Linux groups, including system groups, such as
|
||||
|
||||
.. note::
|
||||
|
||||
The procedure described in this section applies to all the |LDAP| users, both local
|
||||
OpenLDAP and |LDAP| users in the remote Windows Active Directory servers.
|
||||
The procedure described in this section applies to all the |LDAP| users,
|
||||
both Local |LDAP| and |LDAP| users in the remote Windows Active Directory
|
||||
servers.
|
||||
|
||||
.. rubric:: |proc|
|
||||
|
||||
@ -89,11 +91,15 @@ privileges:
|
||||
[pvtest1@wad.mydomain.com@controller-0 ~(keystone_admin)]$ groups
|
||||
eng@wad.mydomain.com root sudo sys_protected pvtest@wad.mydomain.com
|
||||
|
||||
Local OpenLDAP user example:
|
||||
Local |LDAP| user example:
|
||||
|
||||
Add the line ``;%managers;Al0000-2400;sys_protected,root,sudo`` in
|
||||
``/etc/security/group.conf`` to map users of the local OpenLDAP group
|
||||
``managers`` to linux groups: ``sys_protected``, ``root`` and ``sudo``.
|
||||
Add the following line in ``/etc/security/group.conf`` to map users of the
|
||||
Local |LDAP| group ``managers`` to linux groups: ``sys_protected``, ``root``
|
||||
and ``sudo``.
|
||||
|
||||
.. code-block::
|
||||
|
||||
*;*;%managers;Al0000-2400;sys_protected,root,sudo
|
||||
|
||||
Log in with user ``johndole`` from ``managers`` group and check the user's
|
||||
group memberships and privileges.
|
||||
|
||||
@ -1,35 +1,23 @@
|
||||
.. _selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c:
|
||||
|
||||
========================================================
|
||||
Selectively Disable SSH for Local OpenLDAP and WAD Users
|
||||
========================================================
|
||||
====================================================
|
||||
Selectively Disable SSH for Local LDAP and WAD Users
|
||||
====================================================
|
||||
|
||||
Local OpenLDAP and |WAD| servers are used for K8s API and |SSH| authentication.
|
||||
Thus, it is necessary to disallow |SSH| authentication for selective users.
|
||||
Local LDAP and |WAD| servers are used for K8s API and |SSH| authentication.
|
||||
In some cases, it may be necessary to disallow |SSH| authentication for selective users or a
|
||||
group of users.
|
||||
|
||||
---------------------------------
|
||||
Linux Group denyssh Configuration
|
||||
---------------------------------
|
||||
The Linux group ``denyssh`` is a system created group which is preconfigured in
|
||||
the |SSHD| configuration such that any member of this group is denied |SSH| access.
|
||||
|
||||
The Linux group ``denyssh`` is a pre-configured group to which all the |LDAP| users with
|
||||
denied |SSH| access will be added. The group is configured in the |SSHD|
|
||||
configuration file ``/etc/ssh/sshd_config`` and will be available to use after
|
||||
system deployment.
|
||||
|
||||
Check the ``denyssh`` Linux group created at platform installation:
|
||||
|
||||
.. code-block::
|
||||
|
||||
[sysadmin@controller-0 ~(keystone_admin)]$ getent group denyssh
|
||||
denyssh:x:10000
|
||||
|
||||
----------------------------------
|
||||
Deny SSH Access for OpenLDAP Users
|
||||
----------------------------------
|
||||
--------------------------------
|
||||
Deny SSH Access Local LDAP Users
|
||||
--------------------------------
|
||||
|
||||
.. rubric:: |proc|
|
||||
|
||||
#. Create an OpenLDAP user with the :command:`ldapusersetup` command and add
|
||||
#. Create a local |LDAP| user with the :command:`ldapusersetup` command and add
|
||||
the user to Linux group ``denyssh`` during the creation of the |LDAP| user
|
||||
account.
|
||||
|
||||
@ -67,16 +55,12 @@ Deny SSH Access for OpenLDAP Users
|
||||
sysadmin@controller-0:~$ getent group|grep denyssh
|
||||
denyssh:x:10000:test1
|
||||
|
||||
#. Log in as user ``test1``.
|
||||
#. Ssh as user ``test1``.
|
||||
|
||||
The login should be denied.
|
||||
The ssh should be denied.
|
||||
|
||||
#. Remove the user from ``denyssh`` group.
|
||||
|
||||
#. Attempt to :command:`ssh` as the user.
|
||||
|
||||
The :command:`ssh` should be successful.
|
||||
|
||||
Example:
|
||||
|
||||
.. code-block::
|
||||
@ -87,25 +71,48 @@ Deny SSH Access for OpenLDAP Users
|
||||
[sysadmin@controller-0 ~(keystone_admin)]$ id test1
|
||||
uid=10005(test1) gid=100(users) groups=100(users)
|
||||
|
||||
#. Ssh as user ``test1``.
|
||||
|
||||
The ssh should be allowed.
|
||||
|
||||
-----------------------------
|
||||
Deny SSH Access for WAD Users
|
||||
-----------------------------
|
||||
|
||||
.. rubric:: |proc|
|
||||
|
||||
#. Create a |WAD| group ``denyssh`` with the same GID as the Linux group ``denyssh``.
|
||||
#. Create a |WAD| group or use an existing |WAD| group for the users that
|
||||
should not have access to the platform.
|
||||
|
||||
#. Add the |WAD| user to the ``denyssh`` |WAD| group.
|
||||
.. note::
|
||||
|
||||
#. Attempt to :command:`ssh` as the |WAD| user.
|
||||
The |WAD| group used should have a name other than ``denyssh``.
|
||||
|
||||
The login should be denied.
|
||||
|
||||
#. Remove the user from |WAD| group ``denyssh``.
|
||||
|
||||
The user should be able to :command:`ssh`.
|
||||
#. Add the |WAD| user to the |WAD| group.
|
||||
|
||||
.. note::
|
||||
|
||||
The |WAD| user you want to deny access to should not be a member of a
|
||||
|WAD| group that has allowed access. The allowed user groups are
|
||||
configured with the |SSSD| parameter ``ldap_access_filter``. Giving and
|
||||
denying access to the user at the same time leads to inconsistent
|
||||
authentication results.
|
||||
|
||||
#. Map the |WAD| group to the existing Linux group ``denyssh`` following the |PAM|
|
||||
group configuration described in :ref:`add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1`.
|
||||
|
||||
Example: Add the following line in ``/etc/security/group.conf`` to map the
|
||||
|WAD| group to the ``denysssh`` Linux group.
|
||||
|
||||
``*;*;%disallowed_users@wad.mydomain.com;Al0000-2400;denyssh``
|
||||
|
||||
#. Attempt to ssh as the |WAD| user.
|
||||
|
||||
The ssh should be denied.
|
||||
|
||||
#. Remove the user from the |WAD| group.
|
||||
|
||||
The user should be able to ssh.
|
||||
|
||||
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user