{"id":4793,"date":"2019-11-21T00:02:49","date_gmt":"2019-11-20T21:02:49","guid":{"rendered":"https:\/\/kifarunix.com\/?p=4793"},"modified":"2024-03-12T23:12:42","modified_gmt":"2024-03-12T20:12:42","slug":"configure-openldap-host-based-authentication","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-openldap-host-based-authentication\/","title":{"rendered":"Configure OpenLDAP Host Based Authentication"},"content":{"rendered":"\n<p>How do you configure OpenLDAP host based authentication such that access is restricted based on host name of the computer being accessed and the user associated with the host name?<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#configuring-open-ldap-host-based-authentication\">Configuring OpenLDAP Host Based Authentication<\/a><ul><li><a href=\"#add-host-attribute-to-ldap-users\">Add host Attribute to LDAP users<\/a><\/li><li><a href=\"#restrict-access-to-client-based-on-host-attribute\">Restrict Access to Client Based on Host Attribute<\/a><\/li><li><a href=\"#testing-host-based-authentication\">Testing Host Based Authentication<\/a><\/li><li><a href=\"#configure-sssd-for-multiple-authentications\">Configure SSSD for Multiple Authentications<\/a><\/li><li><a href=\"#related-tutorials\">Related Tutorials;<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configuring-open-ldap-host-based-authentication\">Configuring OpenLDAP Host Based Authentication<\/h2>\n\n\n\n<p class=\"has-drop-cap has-small-font-size\"><strong>Disclaimer<\/strong>: This guide is based on the configurations I made on my OpenLDAP server to get the host based authentication with SSSD work. Can&#8217;t guarantee it will work for you.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Before you can proceed with this guide, we assume that you already have an OpenLDAP server setup and running. You can as well follow the link below to setup OpenLDAP server on Linux.<\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-setup-openldap-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup OpenLDAP on Linux<\/a><\/p>\n\n\n\n<p>Well, you might have tried adding the host attribute to user account with <code><strong>inetOrgPerson objectclass<\/strong><\/code> set but in vain. There is another LDAP objectclass called <strong><code>account ObjectClass<\/code> <\/strong>which  enables you to define entries representing computer accounts, including the host attribute. You can confirm if your LDAP server includes this objectclass by querying the subchema entries.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapsearch -H ldapi:\/\/\/ -Y EXTERNAL -s base -b \"cn=subschema\" objectclasses<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>...\nobjectClasses: ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCTURAL MUST userid MAY ( description $ seeAlso $ localityName $ organizationName $ or ganizationalUnitName $ host ) )\n...\n<\/code><\/pre>\n\n\n\n<p>Well, as you can see from the output above, <strong><code>account ObjectClass<\/code><\/strong> requires that when you use it to define an entry, the entry MUST have a <code>userid<\/code> attribute and optionally have the attributes; description, seeAlso, localityName, organizationName, organizationalUnitName, <strong><code>host<\/code><\/strong>.<\/p>\n\n\n\n<p>The account objectclass is usually provided by the <code>cosine.schema<\/code>.<\/p>\n\n\n\n<p>Read more on <a href=\"https:\/\/www.zytrax.com\/books\/ldap\/ch3\/#overview\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"LDAP Schemas, objectClasses and Attributes (opens in a new tab)\">LDAP Schemas, objectClasses and Attributes<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"add-host-attribute-to-ldap-users\">Add host Attribute to LDAP users<\/h3>\n\n\n\n<p>You can only add host attribute to users with <strong><code>account ObjectClass<\/code><\/strong> set. If you try to add the host attribute to users with <strong><code>inetOrgPerson objectclass<\/code><\/strong>,  you might get an error like;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldap_modify: Object class violation (65)\n\tadditional info: attribute 'host' not allowed<\/pre>\n\n\n\n<p>In such a case, simply create another LDAP user account with <strong><code>account ObjectClass<\/code><\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">vim new-user.ldif<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: uid=june,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\n<strong>objectClass: account<\/strong>\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: june\ncn: june\n<strong>host: june.kifarunix.com<\/strong>\nloginShell: \/bin\/bash\nuidNumber: 10050\ngidNumber: 10050\nhomeDirectory: \/home\/june\nshadowMax: 60\nshadowMin: 1\nshadowWarning: 7\nshadowInactive: 7\nshadowLastChange: 0\n\ndn: cn=june,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: posixGroup\ncn: june\ngidNumber: 10050\nmemberUid: june\n<\/code><\/pre>\n\n\n\n<p>Note the highlighted lines.<\/p>\n\n\n\n<p>Add the user to the LDAP database.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f new-user.ldif<\/pre>\n\n\n\n<p>If you already have a user with account objectClass defined, you can simply add the host attribute. Create an LDIF file to modify the user&#8217;s attributes.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">vim edit-user.ldif<\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: uid=june,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nchangetype: modify\nadd: host\nhost: june.kifarunix-demo.com<\/code><\/pre>\n\n\n\n<p>Update the LDAP database.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f edit-user.ldif<\/code><\/pre>\n\n\n\n<p>If a previous user entry has no objectclass <strong>account<\/strong> already defined?<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapsearch -Y EXTERNAL -H ldapi:\/\/\/ -b \"uid=june,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" -LLL -QQ<\/code><\/pre>\n\n\n\n<p>Or to use authenticated method;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapsearch -x -D \"cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\" -W -H ldapi:\/\/\/ -b \"uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" -LLL<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: johndoe\ncn: John\nsn: Doe\nloginShell: \/bin\/bash\nuidNumber: 10000\ngidNumber: 10000\nhomeDirectory: \/home\/johndoe\nshadowMax: 60\nshadowMin: 1\nshadowWarning: 7\nshadowInactive: 7\nshadowLastChange: 0\n<\/code><\/pre>\n\n\n\n<p>Then you delete the entry and create new one that uses account object class instead of inetOrgPerson objectClass. At the same time define the host entry.<\/p>\n\n\n\n<p>Run the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/<\/code><\/pre>\n\n\n\n<p>then paste the following to remove this specific user DN;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nchangetype: delete<\/code><\/pre>\n\n\n\n<p>The press ENTER twice and ctrl+d to stop the command.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>SASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\ndn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nchangetype: delete\n\ndeleting entry \"uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\"\n<\/code><\/pre>\n\n\n\n<p>Create new user entry;<\/p>\n\n\n\n<p>Run the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/<\/code><\/pre>\n\n\n\n<p>then paste the following to add the user with new object class and host entry.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: account\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: johndoe\ncn: johndoe\nhost: noble-numbat\nloginShell: \/bin\/bash\nuidNumber: 10000\ngidNumber: 10000\nhomeDirectory: \/home\/johndoe\nshadowMax: 60\nshadowMin: 1\nshadowWarning: 7\nshadowInactive: 7\nshadowLastChange: 0\n<\/code><\/pre>\n\n\n\n<p>The press ENTER twice and ctrl+d to stop the command.<\/p>\n\n\n\n<p>Note that you can as well create the user using phpLDAPadmin.<\/p>\n\n\n\n<p>Login to your phpLDAPadmin and click on <code>import<\/code>. Paste the user attributes defined above, as shown below, and click <strong>Proceed&gt;&gt;<\/strong> to create the user.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1288\" height=\"584\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/01\/new-user-host-att.png\" alt=\"phpLDAPadmin add user to openldap centos 8\" class=\"wp-image-4952\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/01\/new-user-host-att.png?v=1579625429 1288w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/01\/new-user-host-att-768x348.png?v=1579625429 768w\" sizes=\"(max-width: 1288px) 100vw, 1288px\" \/><\/figure>\n\n\n\n<p>If you did not add user password while creating the user, you can set the password by clicking the user ID on the left pane and click <strong>Add new attribute<\/strong>. Select <strong>Password<\/strong> from the attributes drop down.<\/p>\n\n\n\n<p>Enter you password and choose the hashing technique, <strong>ssha<\/strong> is selected by default.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1326\" height=\"585\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/01\/password.png\" alt=\"phpLDAPadmin set user password on CentOS 8\" class=\"wp-image-4953\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/01\/password.png?v=1579626694 1326w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/01\/password-768x339.png?v=1579626694 768w\" sizes=\"(max-width: 1326px) 100vw, 1326px\" \/><\/figure>\n\n\n\n<p>Scroll down and click <strong>Update object<\/strong> to save the password.<\/p>\n\n\n\n<p>Learn how to setup phpLDAPadmin on CentOS 8 by following the link below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-phpldapadmin-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Install phpLDAPadmin on CentOS 8<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"restrict-access-to-client-based-on-host-attribute\">Restrict Access to Client Based on Host Attribute<\/h3>\n\n\n\n<p>So you now have users that are bound to specific host systems . How can you set up your LDAP clients such that specific users can only login to them?<\/p>\n\n\n\n<p>If you are using SSSD for authentication, set the <code><strong>access_provider<\/strong><\/code> to <code><strong>ldap<\/strong><\/code> and <strong><code>ldap_access_filter<\/code><\/strong> to <code>host=&lt;hostname&gt;<\/code> to enable SSSD host based authentication.<\/p>\n\n\n\n<p>See example SSSD configuration file below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cat \/etc\/sssd\/sssd.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>[sssd]\nservices = nss, pam, sudo\nconfig_file_version = 2\ndomains = default\n\n[sudo]\n\n[nss]\n\n[pam]\noffline_credentials_expiration = 60\n\n[domain\/default]\nldap_id_use_start_tls = True\ncache_credentials = True\ndebug_level = 10\nldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com\nid_provider = ldap\nauth_provider = ldap\nchpass_provider = ldap\n<strong>access_provider = ldap<\/strong>\nldap_uri = ldaps:\/\/ldapmaster.kifarunix-demo.com:636\nldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nldap_default_authtok = P@ssWord\nldap_tls_reqcert = demand\nldap_tls_cacert = \/etc\/ssl\/certs\/cacert.crt\nldap_tls_cacertdir = \/etc\/ssl\/certs\nldap_search_timeout = 50\nldap_network_timeout = 60\n<strong>ldap_access_order = host\nldap_access_filter = host=june.kifarunix-demo.com<\/strong>\n<\/code><\/pre>\n\n\n\n<p>This will therefore restrict access to a system whose hostname is set to <strong>june.kifarunix-demo.com<\/strong> to only a user that bears the attribute <strong>june.kifarunix-demo.com<\/strong> on LDAP server and nobody else.<\/p>\n\n\n\n<p>Therefore, authentication can only be successful if the server hostname matches the login user host attribute.<\/p>\n\n\n\n<p>Consult <code>man sssd.conf<\/code>, <code>man sssd-ldap<\/code> for the options used in the SSSD configuration above.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"testing-host-based-authentication\">Testing Host Based Authentication<\/h3>\n\n\n\n<p>Now, before we proceed, the hostname of our test client server is;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>hostnamectl<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>   Static hostname: <strong>wk01.kifarunix-demo.com<\/strong>\n         Icon name: computer-vm\n           Chassis: vm\n        Machine ID: 79625b6a4ce74de78bf9206aa0a1cc22\n           Boot ID: d9417032197e49f2a305e83caca14bd0\n    Virtualization: oracle\n  Operating System: Ubuntu 18.04.2 LTS\n            Kernel: Linux 4.18.0-15-generic\n      Architecture: x86-64\n<\/code><\/pre>\n\n\n\n<p>Now try to authenticate as june, whose host attribute defined on LDAP server and SSSD config file is, june.kifarunix-demo.com.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -l june 192.168.56.160<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>june@192.168.56.160's password: <strong>password<\/strong>\nConnection to 192.168.56.160 closed by remote host.\nConnection to 192.168.56.160 closed.\n<\/code><\/pre>\n\n\n\n<p>Now, set the hostname of the system to, <strong>june.kifarunix-demo.com<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hostnamectl set-hostname june.kifarunix-demo.com<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">hostnamectl<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>   Static hostname: june.kifarunix-demo.com\n         Icon name: computer-vm\n           Chassis: vm\n        Machine ID: 79625b6a4ce74de78bf9206aa0a1cc22\n           Boot ID: d9417032197e49f2a305e83caca14bd0\n    Virtualization: oracle\n  Operating System: Ubuntu 18.04.2 LTS\n            Kernel: Linux 4.18.0-15-generic\n      Architecture: x86-64\n<\/code><\/pre>\n\n\n\n<p>After that, clear SSSD cache.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl stop sssd;rm -rf \/var\/lib\/sss\/db\/*;systemctl restart sssd<\/pre>\n\n\n\n<p>Next, try to authenticate as june;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -l june 192.168.56.160<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code><code>june@192.168.56.160's password: \nWelcome to Ubuntu 18.04.2 LTS (GNU\/Linux 4.18.0-15-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n\n * Canonical Livepatch is available for installation.\n   - Reduce system reboots and improve kernel security. Activate at:\n     https:\/\/ubuntu.com\/livepatch\n\n451 packages can be updated.\n224 updates are security updates.\n\nYour Hardware Enablement Stack (HWE) is supported until April 2023.\nLast login: Tue Jan 21 20:24:21 2020 from 192.168.56.1\njune@june:~$ <strong>hostname\njune.kifarunix-demo.com<\/strong><\/code>\n<\/code><\/pre>\n\n\n\n<p>You check how to configure SSSD for LDAP Authentication by following the link;<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/configure-sssd-for-openldap-authentication-on-centos-8\/\" target=\"_blank\">Configure SSSD for OpenLDAP Authentication on CentOS 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-sssd-for-openldap-authentication-on-ubuntu-18-04\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Configure SSSD for OpenLDAP Authentication on Ubuntu 18.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-sssd-for-openldap-client-authentication-on-debian-10-9\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Configure SSSD for OpenLDAP Client Authentication on Debian 10\/9<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-sssd-for-multiple-authentications\">Configure SSSD for Multiple Authentications<\/h3>\n\n\n\n<p>SSSD can be configured to allow multiple authentications to the client based on their SSSD configuration parameters. By default, SSSD reads the main configuration file, <code>\/etc\/sssd\/sssd.conf<\/code> and all&nbsp;<code>*.conf<\/code>&nbsp;files in the&nbsp;<code>\/etc\/sssd\/conf.d\/<\/code>&nbsp;directory. The <code>*.conf<\/code>&nbsp;files in&nbsp;<code>\/etc\/sssd\/conf.d\/<\/code> are read in alphabetical order. However, if similar parameters are defined on all the configuration file, SSSD will default to parameters read last.<\/p>\n\n\n\n<p>Suppose you want to connect to an OpenLDAP client as a specific user using the host attribute while at the same time you need to connect as another user? Well, take for example, you have a group of users that needs you need to cconnect  and also there is another user who can only connect using the host attribute, you would simply add an access filter like as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>[sssd]\nservices = nss, pam, sudo\nconfig_file_version = 2\ndomains = default\n\n[sudo]\n\n[nss]\n\n[pam]\noffline_credentials_expiration = 60\n\n[domain\/default]\nldap_id_use_start_tls = True\ncache_credentials = True\ndebug_level = 10\nldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com\nid_provider = ldap\nauth_provider = ldap\nchpass_provider = ldap\n<strong>access_provider = ldap<\/strong>\nldap_uri = ldaps:\/\/ldapmaster.kifarunix-demo.com:636\nldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nldap_default_authtok = P@ssWord\nldap_tls_reqcert = demand\nldap_tls_cacert = \/etc\/ssl\/certs\/cacert.crt\nldap_tls_cacertdir = \/etc\/ssl\/certs\nldap_search_timeout = 50\nldap_network_timeout = 60<strong>\nldap_access_filter = (|(memberOf=cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com)(host=june.kifarunix-demo.com))<\/strong><\/code><\/pre>\n\n\n\n<p>This filter will allow any member of admins group or the user associated with defined host attribute, <strong>june.kifarunix-demo.com<\/strong> to login to the system.<\/p>\n\n\n\n<p>For example a user whose host attribute does not match the defined filter or who is not a member of the group defined on SSSD config file wont login.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ssh -l johndoe 192.168.56.160\njohndoe@192.168.56.160's password: \nConnection to 192.168.56.160 closed by remote host.\nConnection to 192.168.56.160 closed.<\/code><\/pre>\n\n\n\n<p>Note that unlike the above where the hostname ought to have matched the user&#8217;s host attribute, this will allow user to login irrespective of the hostname of the target system as long as the defined host attribute matches that of a user.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"related-tutorials\">Related Tutorials;<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-setup-freeipa-server-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Install and Setup FreeIPA Server on CentOS 8<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/how-to-install-freeipa-server-on-fedora-29-fedora-28-centos7\/\" target=\"_blank\">How to Install FreeIPA Server on Fedora 29\/Fedora 28\/CentOS 7<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/how-to-create-openldap-member-groups\/\" target=\"_blank\">How to Create OpenLDAP Member Groups<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-configure-openldap-server-on-debian-9-stretch\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Install and Configure OpenLDAP Server on Debian 9 Stretch<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How do you configure OpenLDAP host based authentication such that access is restricted based on host name of the computer being accessed and the user<\/p>\n","protected":false},"author":1,"featured_media":9219,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1099],"tags":[1228,1231,1229],"class_list":["post-4793","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-directory-server","category-openldap","tag-host-attributes","tag-ldap-host-based-authentication","tag-sssd-mulitple-authentications","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4793"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=4793"}],"version-history":[{"count":11,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4793\/revisions"}],"predecessor-version":[{"id":21253,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4793\/revisions\/21253"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/9219"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=4793"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=4793"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=4793"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}