Add LDAP Users to Linux Groups Using PAM Configuration¶
The Linux pam_group module enables binding/mapping of LDAP users/groups to a specified list of one or more Linux groups. The mapping will occur after the SSSD service has discovered the LDAP users and groups and cached them on the host.
The mapping between the discovered LDAP users and their group membership to the
local Linux groups works for all Linux groups, including system groups, such as
sudo and root.
Note
The procedure described in this section applies to all the LDAP users, both local OpenLDAP and LDAP users in the remote Windows Active Directory servers.
Procedure
Perform the following PAM configuration on all the hosts after the system is installed:
To configure pam_group module, add the following line to the top of the
/etc/pam.d/common-authfile after the comments.auth required pam_group.so use_first_pass
Update
/etc/security/group.confwith LDAP groups mapping to Linux groups.For each LDAP group mapping to a local Linux group(s), the following line needs to be added to the bottom of the
/etc/security/group.conffile using the formatservices;ttys;users;times;groups:*;*;%<fully qualified wad group name>;Al0000-2400;<list of local Linux groups>
Where,
Al0000-2400stands for times. It is used to indicate when these groups are available to the user. The times format is a logical list of day/time-range entries.Alstands for all seven days of the week.Each day/time-range can be prefixed with a ! to indicate anything but.
The time-range part is two 24-hour times HHMM separated by a hyphen that indicates the start and finish time. More information on the line format can be found in the file
/etc/security/group.conf.For example:
*;*;%pvtest@wad.mydomain.com;Al0000-2400;sys_protected,root,sudo
The example above can be read as: For all services and all ttys, members(%) of
pvtest@wad.mydomain.comgroup, for all days and times (Al0000-2400), add these users to the following local Linux groups:sys_protected,root, andsudo.Note
The pam_group configuration will enforce the LDAP group membership in Linux groups, after a LDAP mapped group member is successfully authenticated in the platform, either with SSH or direct login.
After the login of a LDAP user that is part of a mapped LDAP group, you can view the new membership to Linux groups. The LDAP user memberships and privileges set with the above example mapping gives a user the following sudo privileges:
WAD user example:
Last login: Mon Jul 8 12:53:12 2024 from 10.10.10.1
pvtest1@wad.mydomain.com@controller-0:~$ source /etc/platform/openrc
[pvtest1@wad.mydomain.com@controller-0 ~(keystone_admin)]$ sudo su
Password:
root@controller-0:/var/home/wad.mydomain.com/pvtest1# groups
root
root@controller-0:/var/home/wad.mydomain.com/pvtest1# exit
exit
[pvtest1@wad.mydomain.com@controller-0 ~(keystone_admin)]$ groups
eng@wad.mydomain.com root sudo sys_protected pvtest@wad.mydomain.com
Local OpenLDAP user example:
Add the line ;%managers;Al0000-2400;sys_protected,root,sudo in
/etc/security/group.conf to map users of the local OpenLDAP group
managers to linux groups: sys_protected, root and sudo.
Log in with user johndole from managers group and check the user’s
group memberships and privileges.
johndole@controller-0:~$ id
uid=10007(johndole) gid=100(users) groups=100(users),0(root),27(sudo),345(sys_protected),10001(managers)
johndole@controller-0:~$ source /etc/platform/openrc
[johndole@controller-0 ~(keystone_admin)]$ kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* kubernetes-admin@kubernetes kubernetes kubernetes-admin
[johndole@controller-0 ~(keystone_admin)]$ groups
users root sudo sys_protected managers
[johndole@controller-0 ~(keystone_admin)]$
[johndole@controller-0 ~(keystone_admin)]$ sudo -l
Password:
Matching Defaults entries for johndole on controller-0:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
lecture=never,
secure_path=/usr/local/bin\:/usr/bin\:/bin\:/usr/local/sbin\:/usr/sbin\:/sbin,
lecture=never,
secure_path=/usr/local/bin\:/usr/bin\:/bin\:/usr/local/sbin\:/usr/sbin\:/sbin,
passprompt="Password: "
User johndole may run the following commands on controller-0:
(ALL : ALL) ALL
(ALL) ALL
[johndole@controller-0 ~(keystone_admin)]$
