Aug 29 2008

Restrict LDAP or NIS Users Access on Unix

Published by at 10:53 pm under Ldap,Linux




A lot of networks use LDAP or NIS to authenticate users on servers. There is no policy control by default and access is granted to all users in the central database.
Access can be restricted to some of the accounts adding them into the default passwd file if the compat mode is set. This works on any Unix eg Linux, Solaris, Aix, etc…

nsswitch.conf file

The passwd property is set to "file" on a default system. Change it to:

passwd: compat
passwd_compat: ldap

By default, the source is nis, but this may be overridden by specifying nisplus or ldap as source for the pseudo-database passwd_compat.

Granting Access

A NIS or LDAP user can now be authorized to connect adding an entry in /etc/passwd of the form:
+user:x:::::
or
+@netgroup:x:::::
if you have netgroups.
It is also possible to exclude some specific users with -user, and allow anybody else with a single + at the end of /etc/passwd.


No responses yet

Comments RSS

Leave a Reply