I have an Apache server (RHEL 6) hosting multiple user web pages which currently is connected to my Active Directory environment to authenticate users. The server is used to automatically host content the users put in their /home/<user>/public_html folder. I am also configuring this server to use chroot so the users will not be able to browse any other content on the server outside of their home folder. The login scripts do not create a home folder for the users. Those are created manually because we only want certain users to be able to host web pages from this server.
The problem is, any user is currently able to log into the server and instead of going to their /home folder (because it doesn't exist) they automatically go into /. This gives them access to view any files/folders on the server their group has read access to. This is a security concern and I'd like to restrict logins to users who have a /home directory.
We don't want to specify an AD group or list of users as authenticated because that list may get quite long and be difficult to manage although it may be easier than writing a PAM module.
Is there a way to restrict LDAP logins to only users who already have a /home directory? I am not finding anything in the PAM options or documentation.
Best Answer
Because the management of access would require a lot of work arounds on the local host we decided just to create a group in Active Directory and restrict logins to users in that group.
This can be done by editing the /etc/security/pam_winbind.conf file with the following field with the SIDs of the groups or users we want to restrict access to (comma separated).
We then will filter our chroot restrictions to that group (or put the users to a local group) to restrict their sftp access to their own home directories. This will also allow us to add the oddjobs mkhomedir back to pam and then to allow access to the server we just have to add the user to that group. They can then log in and their home dir will be created automatically.
Thanks everyone for the help/ideas but it looks like AD groups will be the easiest to manage after all.