RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:

Cannot restrict authentication to a specific ldap group

Version-Release number of selected component (if applicable):

OpenLDAP Server : 2.3.99

nss-pam-ldapd-0.8.13-8 (on client machine)

How reproducible: ssh to a server with LDAP client configured for group authentication


Steps to Reproduce:
1. ssh to a server
2. login with ldap credentials


Actual results:

Authentication works for all users

Expected results:

Authentication should work only for the members of a specific LDAP group


Additional info:


Since we decided to upgrade our systems to Red Hat 7 , we found out that the pam_ldap.conf file doesn't exist anymore.

Authentication using open ldap is working but without a restriction to a specific  LDAP group.

 
On our Red Hat 6 systems we use the following configuration (on /etc/pam_ldap.conf):

pam_groupdn             cn=groupname@company,ou=groups,ou=Company,dc=staff,dc=company
pam_member_attribute    memberUid
nss_base_group          ou=system_groups,ou=Company,dc=staff,dc=company?one


With the above configuration we can restrict access only for the specified “groupname@company” LDAP group.

Is there any way to make the same configuration on Red Hat 7 with nslcd?

This seems to be an nss-pam-ldapd bug as it is reported against it's latest NVR. Changing the component.

First, please try to use SSSD, not nss-pam-ldapd. SSSD is the recommended and preferred LDAP client. With SSSD, you would configure access_provider=simple and simple_allow_groups = system_groups.

Second, in RHEL-7, we switched from PADL's pam_ldap to nss-pam-ldapd's pam_ldap so options differ. To accomplish what you want, you should construct pam_authz_search in nslcd.conf so that it matches only those user entries that are allowed to login. Please see the description of pam_authz_search in the nslcd.conf man page.

I don't think this is a bug, just misconfiguration. Please reopen if you think pam_authz_search is not working on RHEL-7.