Configuring LDAP/PAM Account Restrictions for SSH Access While Preserving Local Unix Logins


36 views

When implementing LDAP authentication with PAM on Ubuntu Server, we often need to:

  1. Restrict SSH access to specific LDAP user ranges (UID 2000-2999)
  2. Limit access to members of a designated LDAP group (ssh-users)
  3. Preserve local Unix account functionality

Your /etc/ldap.conf contains the correct base parameters:

pam_min_uid 2000
pam_max_uid 2999
pam_groupdn cn=ssh-users,ou=Groups,dc=example,dc=com

The key is proper PAM module ordering in /etc/pam.d/sshd:

# Standard Unix authentication
auth sufficient pam_unix.so
account sufficient pam_unix.so

# LDAP authentication
auth [success=done default=ignore] pam_ldap.so
account [success=done default=ignore] pam_ldap.so

Enable detailed logging in /etc/ldap.conf:

debug 5
pam_lookup_policy yes
pam_password exop

Check auth logs in real-time:

tail -f /var/log/auth.log | grep pam_ldap

Here's a verified configuration that maintains local access:

# /etc/pam.d/common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_ldap.so
account required pam_permit.so

For more granular control, consider using pam_access.so:

# /etc/security/access.conf
+ : (ssh-users) : ALL
+ : root : ALL
- : ALL : ALL

Then add to PAM stack:

account required pam_access.so accessfile=/etc/security/access.conf

When dealing with large LDAP directories:

  • Set proper LDAP query timeouts
  • Implement local caching with nscd
  • Consider using sssd for better performance

When integrating LDAP authentication with local system accounts, we often need to implement selective access controls. The specific requirements in this case are:

  • Allow LDAP users with UIDs 2001-2999 AND group membership to SSH
  • Permit local system accounts to authenticate normally
  • Block LDAP users outside the specified UID range

The critical file we need to modify is /etc/pam.d/common-account. Here's the proper way to structure it:

account sufficient      pam_ldap.so
account [success=1 default=ignore] pam_unix.so
account required        pam_deny.so

For the LDAP-specific restrictions, your /etc/ldap.conf should contain:

pam_min_uid 2001
pam_max_uid 2999
pam_groupdn cn=ssh-users,ou=Groups,dc=example,dc=com
pam_member_attribute memberUid

If local users can't authenticate, verify:

# Check PAM stack processing
grep -vE '^#|^$' /etc/pam.d/sshd

# Test LDAP connectivity
ldapsearch -x -b 'dc=example,dc=com' '(uid=testuser)'

For more granular control, consider these additional parameters:

# In /etc/ldap.conf
pam_login_attribute uid
pam_filter objectClass=posixAccount
pam_password md5

The complete working solution combines these elements:

# /etc/pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so min_uid=2001 max_uid=2999
account requisite pam_deny.so
account required pam_permit.so