LDAP auth for hosts : same user should have different posixgroup memberships while login to different machines(hosts)

Any idea on how to achieve following objective with openLDAP server with unix clients

Objective : a) Each user should have separate access restrictions to different hosts(unix servers) through LDAP server settings b) Each such, logged in user (if permitted) should have separate posixgroup memberships on different machines based on the LDAP server settings. For example user janaki shall be a sudo posixgroup member in server-1 but not in server-2

It was able to achieve the part-a objective as follows:

Create seperate groups (objectClass groupofNames) with member attribute for each machine/host that require seperate access restrictions for users, using LDAP overlays (memberof and refint). Add users (posixAccount) to these groups (type groupofnames) in LDAP server to enable auth access to each server. In client machine (unix server) add nss_base_passwd filter to test memberof=cn=group-name (group-name representing this server in the LDAP). This is successful and is working.

What is required is how to achieve part-b ? That is, what configurations are required in openldap server and unix-clients to achieve this ?

-regards Janaki

You can use the object class posixGroup in LDAP. This object class allows you to create groups that correspond to Unix groups on each client computer. You can then add users to these groups by using the memberUid attribute, which specifies the user's UID. On client machines, you can configure the nss_base_group filter in the /etc/ldap.conf file to retrieve posixGroup objects from the LDAP server. This allows the client computer to use the group membership information from the LDAP server to determine users' Unix group membership when they log on. Another thing that I might suggest is to use the pam_ldap module to authenticate users and set their group membership based on the LDAP server settings when they log in.

Edit 1 (check comments for refference): Yes, you can use the posixGroup object class and the nss_base_group filter to achieve the objective of having different Unix group memberships for different users on different client machines.

To do this, you can create posixGroup objects in the LDAP server for each group that you want to use on the client machines. You can then use the memberUid attribute to specify the UIDs of the users who are members of each group.

On the client machines, you can configure the nss_base_group filter in the /etc/ldap.conf file to retrieve the posixGroup objects from the LDAP server. For example, you can add the following line to the /etc/ldap.conf file on the client machine:

nss_base_group  ou=Groups,dc=example,dc=com?one

This will cause the client machine to search the Groups OU in the LDAP server for posixGroup objects and use the information from those objects to set the Unix group membership for the users when they login.

As for using the pam_ldap module to authenticate users and set their group membership based on the LDAP server settings when they log in, it is possible to do this. The pam_ldap module can be configured to use the LDAP server to authenticate users and set their group membership when they log in to the client machine.

To use the pam_ldap module, you can add the following line to the /etc/pam.d/common-auth file on the client machine:

auth sufficient pam_ldap.so

This will cause the pam_ldap module to authenticate the users using the LDAP server and set their group membership based on the information in the LDAP server.