I'm trying to configure a system where users can only log in if they belong to both Group A and Group B. We've been using access.conf to manage access, but it seems that it doesn't allow for checking if a user is part of both groups simultaneously. I'm concerned about the complexity of running a script for each login attempt and struggling with how to set the syntax to perform this check properly. Are there any simpler or better methods to achieve this?
4 Answers
Honestly, going with LDAP would be the best approach for Linux systems. It'll save you a lot of hassle in the long run if you need this setup.
I haven't tested this myself, but could you use an EXCEPT condition in access.conf? Essentially, you'd be looking at a logic where you deny access to anyone not in both groups.
While LDAP is the ideal solution, if that's not an option for you, I think you could manage this with PAM modules. Specifically, pam_succeed_if can check if a user belongs to the required groups. It might take a bit more effort, but it should work.
Have you considered using OpenLDAP? You can construct your authentication query like this: (&(memberOf=groupA)(memberOf=groupB)). If you're dealing with logins to hosts, FreeIPA might also be worth checking out.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures