Aug 29 2008
Restrict LDAP / NIS User Access on Unix
A lot of networks use LDAP or NIS to authenticate users on Linux servers and any Unix flavours. There is no policy control by default and all users in the central LDAP database have access to all servers.
Access can be restricted to some of the accounts adding them into the default passwd file if the compat mode is set. This works on most of the Unix family: Linux, Solaris, Aix, etc…
nsswitch.conf File Settings
“file” is the passwd property on a default system. Change it to “compat” to authenticate on your central user base:
passwd: compat
passwd_compat: ldap
By default, the source is nis, but this may be overridden by specifying nisplus or LDAP as source for the pseudo-database passwd_compat.
Grant Access to LDAP / NIS users
Once authentication was set to NIS or LDAP, users can now be authorized to connect on a specific server adding an entry in /etc/passwd of the following format:
+user:x:::::
or
+@netgroup:x:::::
if you have netgroups in your LDAP or NIS user base.
It is also possible to exclude some specific users with -user, and allow anybody else with a single + at the end of /etc/passwd. This brings some flexibility to restrict LDAP users access.