Is it possible to restrict login only to to whom bound to a determinated group?
I tried to use the following lines in sssd.conf but doesn't works:
access_provider = ldap ldap_access_order = filter ldap_access_filter = (gidNumber=900)
I accomplish this with the pam_access module and an appropriate access.conf file on my Red Hat flavored machines.
http://linux.die.net/man/8/pam_access
http://linux.die.net/man/5/access.conf
----- Original Message -----
From: "Enrico Morelli" morelli@cerm.unifi.it To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Sent: Wednesday, April 27, 2016 8:21:00 AM Subject: [389-users] Login restrictions
Is it possible to restrict login only to to whom bound to a determinated group?
I tried to use the following lines in sssd.conf but doesn't works:
access_provider = ldap ldap_access_order = filter ldap_access_filter = (gidNumber=900)
--
Enrico Morelli System Administrator | Programmer | Web Developer
CERM - Polo Scientifico Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY phone: +39 055 457 4269 fax: +39 055 457 4927
-- 389-users mailing list 389-users@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
On Wed, 27 Apr 2016 08:24:46 -0500 (CDT) "Patrick M. Landry" patrick.landry@louisiana.edu wrote:
I accomplish this with the pam_access module and an appropriate access.conf file on my Red Hat flavored machines.
But seems that it's working using netgroup. Is there a way to configure NIS group using 389 console?
----- Original Message -----
From: "Enrico Morelli" morelli@cerm.unifi.it To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Sent: Wednesday, April 27, 2016 8:21:00 AM Subject: [389-users] Login restrictions
Is it possible to restrict login only to to whom bound to a determinated group?
I tried to use the following lines in sssd.conf but doesn't works:
access_provider = ldap ldap_access_order = filter ldap_access_filter = (gidNumber=900)
--
Enrico Morelli System Administrator | Programmer | Web Developer
CERM - Polo Scientifico Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY phone: +39 055 457 4269 fax: +39 055 457 4927
-- 389-users mailing list 389-users@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
On Wed, 27 Apr 2016 08:24:46 -0500 (CDT) "Patrick M. Landry" patrick.landry@louisiana.edu wrote:
I accomplish this with the pam_access module and an appropriate access.conf file on my Red Hat flavored machines.
I find that my sssd.conf doesn't works on rhel 5, but on rhel 6 and 7 works fine. That because, I think, under rhel 5 there isn't sssd-ldap package.
----- Original Message -----
From: "Enrico Morelli" morelli@cerm.unifi.it To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Sent: Wednesday, April 27, 2016 8:21:00 AM Subject: [389-users] Login restrictions
Is it possible to restrict login only to to whom bound to a determinated group?
I tried to use the following lines in sssd.conf but doesn't works:
access_provider = ldap ldap_access_order = filter ldap_access_filter = (gidNumber=900)
--
Enrico Morelli System Administrator | Programmer | Web Developer
CERM - Polo Scientifico Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY phone: +39 055 457 4269 fax: +39 055 457 4927
-- 389-users mailing list 389-users@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
Is it possible to restrict login only to to whom bound to a determinated group?
I tried to use the following lines in sssd.conf but doesn't works:
access_provider = ldap ldap_access_order = filter ldap_access_filter = (gidNumber=900)
I think it might be simpler to use access_provider simple @see man sssd-simple
[domain/example.com] access_provider = simple simple_allow_users = user1, user2
On Wed, 27 Apr 2016 17:44:22 -0000 "Lukas Slebodnik" lslebodn@fedoraproject.org wrote:
Is it possible to restrict login only to to whom bound to a determinated group?
I tried to use the following lines in sssd.conf but doesn't works:
access_provider = ldap ldap_access_order = filter ldap_access_filter = (gidNumber=900)
I think it might be simpler to use access_provider simple @see man sssd-simple
[domain/example.com] access_provider = simple simple_allow_users = user1, user2
Could be, but I think to loose the LDAP benefit. I've a lot of machines and to avoid to create/remove users on each machine I installed 389ds. So if I've to add/remove user to the simple_allow_users on each machine I can continue to use adduser. Or not?
Good morning.
It might be enlightening to define "a lot of machines." I have ~300 clients tied to a 3 node 389-ds cluster, with a few hundred accounts.
I've built access restrictions here on the basis of hostname and NSRole definitions. For Linux hosts using sssd, I have a filter expression in ldap_user_search_base that ends up something like:
ldap_user_search_base = ou=OU,dc=fq,dc=dn?sub?|(host=hostname)(nsrole=cn=Role1,ou=OU,dc=fq,dc=cn)...
I use a similar expression in /etc/ldap.conf for earlier versions, using nss_base_passwd (there is a difference in syntax.) As a side note, I'd started a few years back with the pam_filter call, and discovered that I was overrunning a buffer. My Linux kickstarts build these expressions for me automatically, and I've got scripts set up to extend as necessary. Similar filters work for both AIX and HP-UX.
With the exception of HP-UX (due to the way that filtering is implemented in the LDAP-UX client,) this does have the pleasant side effect of only showing users that are authorized for a particular server, not the entire list of accounts when running 'getent passwd' or the O/S equivalent.
Obviously, you can tailor the filtering expressions to search on arbitrary attributes.
adduser? Unless I'm missing something completely, that's only for local accounts.
Jeff Kalchik Systems Engineering Land O'Lakes
-----Original Message----- From: Enrico Morelli [mailto:morelli@cerm.unifi.it] Sent: Thursday, April 28, 2016 4:07 AM To: 389-users@lists.fedoraproject.org Subject: [389-users] Re: Login restrictions
On Wed, 27 Apr 2016 17:44:22 -0000 "Lukas Slebodnik" lslebodn@fedoraproject.org wrote:
Is it possible to restrict login only to to whom bound to a determinated group?
I tried to use the following lines in sssd.conf but doesn't works:
access_provider = ldap ldap_access_order = filter ldap_access_filter = (gidNumber=900)
I think it might be simpler to use access_provider simple @see man sssd-simple
[domain/example.com] access_provider = simple simple_allow_users = user1, user2
Could be, but I think to loose the LDAP benefit. I've a lot of machines and to avoid to create/remove users on each machine I installed 389ds. So if I've to add/remove user to the simple_allow_users on each machine I can continue to use adduser. Or not?
-- ------------------------------------------------------------- Enrico Morelli System Administrator | Programmer | Web Developer
CERM - Polo Scientifico Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY phone: +39 055 457 4269 fax: +39 055 457 4927 ------------------------------------------------------------- -- 389-users mailing list 389-users@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org This message may contain confidential material from Land O'Lakes, Inc. (or its subsidiary) for the sole use of the intended recipient(s) and may not be reviewed, disclosed, copied, distributed or used by anyone other than the intended recipient(s). If you are not the intended recipient, please contact the sender by reply email and delete all copies of this message.
On Thu, 28 Apr 2016 13:12:56 +0000 "Kalchik, Jeffery" JDKalchik@landolakes.com wrote:
Good morning.
It might be enlightening to define "a lot of machines." I have ~300 clients tied to a 3 node 389-ds cluster, with a few hundred accounts.
I've built access restrictions here on the basis of hostname and NSRole definitions. For Linux hosts using sssd, I have a filter expression in ldap_user_search_base that ends up something like:
ldap_user_search_base = ou=OU,dc=fq,dc=dn?sub?|(host=hostname)(nsrole=cn=Role1,ou=OU,dc=fq,dc=cn)...
I use a similar expression in /etc/ldap.conf for earlier versions, using nss_base_passwd (there is a difference in syntax.) As a side note, I'd started a few years back with the pam_filter call, and discovered that I was overrunning a buffer. My Linux kickstarts build these expressions for me automatically, and I've got scripts set up to extend as necessary. Similar filters work for both AIX and HP-UX.
Can you give me some ldap.conf example to filter logins? Because I've 5.x RedHat machines that doesn't use sssd, so I need other ways to perform login restrictions.
adduser? Unless I'm missing something completely, that's only for local accounts.
Yes of course. I wrote that to answer to simple_allow_users suggestion.
Jeff Kalchik Systems Engineering Land O'Lakes
-----Original Message----- From: Enrico Morelli [mailto:morelli@cerm.unifi.it] Sent: Thursday, April 28, 2016 4:07 AM To: 389-users@lists.fedoraproject.org Subject: [389-users] Re: Login restrictions
On Wed, 27 Apr 2016 17:44:22 -0000 "Lukas Slebodnik" lslebodn@fedoraproject.org wrote:
Is it possible to restrict login only to to whom bound to a determinated group?
I tried to use the following lines in sssd.conf but doesn't works:
access_provider = ldap ldap_access_order = filter ldap_access_filter = (gidNumber=900)
I think it might be simpler to use access_provider simple @see man sssd-simple
[domain/example.com] access_provider = simple simple_allow_users = user1, user2
Could be, but I think to loose the LDAP benefit. I've a lot of machines and to avoid to create/remove users on each machine I installed 389ds. So if I've to add/remove user to the simple_allow_users on each machine I can continue to use adduser. Or not?
--
Enrico Morelli System Administrator | Programmer | Web Developer
CERM - Polo Scientifico Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY phone: +39 055 457 4269 fax: +39 055 457 4927
-- 389-users mailing list 389-users@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org This message may contain confidential material from Land O'Lakes, Inc. (or its subsidiary) for the sole use of the intended recipient(s) and may not be reviewed, disclosed, copied, distributed or used by anyone other than the intended recipient(s). If you are not the intended recipient, please contact the sender by reply email and delete all copies of this message. -- 389-users mailing list 389-users@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
Hrrrm..... my mistake. nss_base_passwd in /etc/ldap.conf does have nearly the same syntax as ldap_user_search_base in /etc/sssd/sssd.conf. I was thinking there was an addition level of parentheses or extention to the filter itself.
nss_base_passwd ou=OU,dc=fq,dc=dn?sub?|(host=hostname)(nsrole=cn=Role1,ou=OU,dc=fq,dc=cn)...
or
nss_base_passwd ou=OU,dc=fq,dc=dn?sub?|(host=hostname)(gidNumber=12345)...
You should be able to use any valid filter expression. Remember that there's another implied and operation so the effective test at login looks something like:
(&(uid=uidname)|(host=hostname)(gidNumber=12345)...)
We've very specifically gone to role based access rather than groups. Being able to attach multiple roles to a user gives us a lot of flexibility.
I don't recall making any PAM changes other than what auth_config applies. auth_config downloads and installs my CA certificate, & configures the majority of LDAP client stuff on EL5, EL6 and EL7 based systems, generally during kickstarts, but can work on appliances (assuming the vendor will allow you to make these sorts of changes.) Otherwise, it's a bit of filter configuration in /etc/sssd/sssd.conf or /etc/ldap.conf.
Jeff Kalchik Systems Engineering Land O'Lakes
-----Original Message----- From: Enrico Morelli [mailto:morelli@cerm.unifi.it] Sent: Friday, April 29, 2016 3:02 AM To: 389-users@lists.fedoraproject.org Subject: [389-users] Re: Login restrictions
On Thu, 28 Apr 2016 13:12:56 +0000 "Kalchik, Jeffery" JDKalchik@landolakes.com wrote:
Good morning.
It might be enlightening to define "a lot of machines." I have ~300 clients tied to a 3 node 389-ds cluster, with a few hundred accounts.
I've built access restrictions here on the basis of hostname and NSRole definitions. For Linux hosts using sssd, I have a filter expression in ldap_user_search_base that ends up something like:
ldap_user_search_base = ou=OU,dc=fq,dc=dn?sub?|(host=hostname)(nsrole=cn=Role1,ou=OU,dc=fq,dc=cn)...
I use a similar expression in /etc/ldap.conf for earlier versions, using nss_base_passwd (there is a difference in syntax.) As a side note, I'd started a few years back with the pam_filter call, and discovered that I was overrunning a buffer. My Linux kickstarts build these expressions for me automatically, and I've got scripts set up to extend as necessary. Similar filters work for both AIX and HP-UX.
Can you give me some ldap.conf example to filter logins? Because I've 5.x RedHat machines that doesn't use sssd, so I need other ways to perform login restrictions.
adduser? Unless I'm missing something completely, that's only for local accounts.
Yes of course. I wrote that to answer to simple_allow_users suggestion.
Jeff Kalchik Systems Engineering Land O'Lakes
-----Original Message----- From: Enrico Morelli [mailto:morelli@cerm.unifi.it] Sent: Thursday, April 28, 2016 4:07 AM To: 389-users@lists.fedoraproject.org Subject: [389-users] Re: Login restrictions
On Wed, 27 Apr 2016 17:44:22 -0000 "Lukas Slebodnik" lslebodn@fedoraproject.org wrote:
Is it possible to restrict login only to to whom bound to a determinated group?
I tried to use the following lines in sssd.conf but doesn't works:
access_provider = ldap ldap_access_order = filter ldap_access_filter = (gidNumber=900)
I think it might be simpler to use access_provider simple @see man sssd-simple
[domain/example.com] access_provider = simple simple_allow_users = user1, user2
Could be, but I think to loose the LDAP benefit. I've a lot of machines and to avoid to create/remove users on each machine I installed 389ds. So if I've to add/remove user to the simple_allow_users on each machine I can continue to use adduser. Or not?
--
Enrico Morelli System Administrator | Programmer | Web Developer
CERM - Polo Scientifico Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY phone: +39 055 457 4269 fax: +39 055 457 4927
-- 389-users mailing list 389-users@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproje ct.org This message may contain confidential material from Land O'Lakes, Inc. (or its subsidiary) for the sole use of the intended recipient(s) and may not be reviewed, disclosed, copied, distributed or used by anyone other than the intended recipient(s). If you are not the intended recipient, please contact the sender by reply email and delete all copies of this message. -- 389-users mailing list 389-users@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproje ct.org
-- ------------------------------------------------------------- Enrico Morelli System Administrator | Programmer | Web Developer
CERM - Polo Scientifico Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY phone: +39 055 457 4269 fax: +39 055 457 4927 ------------------------------------------------------------- -- 389-users mailing list 389-users@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org This message may contain confidential material from Land O'Lakes, Inc. (or its subsidiary) for the sole use of the intended recipient(s) and may not be reviewed, disclosed, copied, distributed or used by anyone other than the intended recipient(s). If you are not the intended recipient, please contact the sender by reply email and delete all copies of this message.
389-users@lists.fedoraproject.org