On Tue, Jul 29, 2014 at 02:48:06PM +0000, Sterling Sahaydak wrote:
When you configured sssd.conf with the access_provider, what exactly
were you trying to achieve? What are the expectations on who should be
able to log in to the machine?
The point of the ldap_access_filter is that it's combined with the usual
user lookup filter:
(&(ldap_access_filter_value)(objectclass=posixAccount)(cn=username))
If you insist on using the ldap_access_filter, there needs to be a link
from the user to whatever group you want to restrict access as. So far I
only see a link the other way in your setup, since you're using the
RFC2307 schema with memberuid: $username attributes.
*Trying to achieve those users who have sudoers role be allowed to ssh.
In SudoRole I have 'All' allowed for sudoCommand.
By having the cn=allowedusers in ou=Groups, I can add users from
ou=Employees and assign the attribute: memberUid in allowedusers the list of
users sudo rights.
But still, sounds like you should be fine restricting access to members of
allowedusers with the simple access provider..
FYI - ldapsearch works in retrieving everything correctly as needed.
------ Original Message ------
From: "Jakub Hrozek" <jhrozek(a)redhat.com>
To: sssd-devel(a)lists.fedorahosted.org
Sent: 7/29/2014 10:37:46 AM
Subject: Re: [SSSD] Trying to ssh with sssd/pam configuration
>On Tue, Jul 29, 2014 at 01:53:17PM +0000, Sterling Sahaydak wrote:
>> Hi Jakub,
>>
>> I'm not sure if simple access is what I need.
>>
>> I have setup in LDAP:
>>
>> cn=allowedusers, ou=Groups
>> - using attribute: memberUid - and adding the users uid here.
>
>OK
>
>>
>> ou=Employees, ou=People
>> - in Employees have users with objectClass: inetOrgPerson, posixAccount
>
>OK
>
>>
>> ou=sudoers
>> - here have objectClass: sudoRole and creating cn= <username from
>>Employees>
>> and sudoUser = <username>
>
>sudo has nothing to do with access control.
>
>>
>> and also have a LDAP Proxy to Active Directory:
>> (*Note: for now, I'm commenting this section out and not connecting,
>>but
>> need to consider this to activate later)
>> - using this setup in slapd.conf:
>> database ldap
>> suffix "ou=Users,ou=adgroup,dc=ad,dc=something,dc=net"
>> uri
ldap://ad1.something.net/
>> rebind-as-user
>> idassert-bind bindmethod=simple
>>binddn="cn=bindingacctname,ou=users,ou=adgroup,dc=ad,dc=something,dc=net"
>> credentials="<password>"
>> mode=none
>> idassert-authzFrom "*"
>> chase-referrals yes
>> subordinate
>>
>> So, not sure if simple binding would be correct thing to do???
>
>Again, not directly connected to access control.
>
>When you configured sssd.conf with the access_provider, what exactly
>were you trying to achieve? What are the expectations on who should be
>able to log in to the machine?
>_______________________________________________
>sssd-devel mailing list
>sssd-devel(a)lists.fedorahosted.org
>https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel