Thanks again Jakub for replying.
Looking into the documentation I see: (I know you know this by heart)
http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/chap-...
*As you mentioned for the 'Simple Access Provider' - I would need to provide
a list of 'simple_allow_users = ' and manually update this frequently, which
is what I'm trying to avoid.
So, looking into:
8.2.3.2.3.2. The LDAP Access Provider -
The second access control solution uses the LDAP server itself as the access
provider (access_provider=ldap) and the associated filter option
(ldap_access_filter) to specify which users are granted access to the
specified host. Note that these two options are codependent; if you use LDAP
as your access provider then you must specify a value for the
ldap_access_filter option, otherwise all users will be denied access...
This is what I have:
[domain/LDAP]
access_provider = ldap
auth_provider = ldap
chpass_provider = ldap
id_provider = ldap
sudo_provider = ldap
debug_level = 7
cache_credentials = true
enumerate = false
ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=something,dc=net
This would work if your users have the memberof attribute. Do they?
ldap_search_base = dc=something,dc=net
ldap_sudo_search_base = ou=sudoers,dc=something,dc=net
I have commented out:
#ldap_user_search_base = ou=Employees,dc=something,dc=net
#ldap_group_search_base = ou=Groups,dc=something,dc=net
Do I need to add these 2 lines back in? (* you mention below:
ldap_access_filter is that it's combined with the usual user lookup filter)
Or change?
ldap_access_filter =
(&(ldap_access_filter_value)(objectclass=posixAccount)(cn=username))
Thanks!!!
------ Original Message ------
From: "Jakub Hrozek" <jhrozek(a)redhat.com>
To: sssd-devel(a)lists.fedorahosted.org
Sent: 7/30/2014 5:05:37 AM
Subject: Re: [SSSD] Trying to ssh with sssd/pam configuration
>On Tue, Jul 29, 2014 at 02:48:06PM +0000, Sterling Sahaydak wrote:
>> When you configured sssd.conf with the access_provider, what exactly
>> were you trying to achieve? What are the expectations on who should be
>> able to log in to the machine?
>
>The point of the ldap_access_filter is that it's combined with the usual
>user lookup filter:
>(&(ldap_access_filter_value)(objectclass=posixAccount)(cn=username))
>
>If you insist on using the ldap_access_filter, there needs to be a link
>from the user to whatever group you want to restrict access as. So far I
>only see a link the other way in your setup, since you're using the
>RFC2307 schema with memberuid: $username attributes.
>
>>
>> *Trying to achieve those users who have sudoers role be allowed to ssh.
>> In SudoRole I have 'All' allowed for sudoCommand.
>>
>> By having the cn=allowedusers in ou=Groups, I can add users from
>> ou=Employees and assign the attribute: memberUid in allowedusers the
>>list of
>> users sudo rights.
>
>But still, sounds like you should be fine restricting access to members of
>allowedusers with the simple access provider..
>
>>
>> FYI - ldapsearch works in retrieving everything correctly as needed.
>>
>>
>>
>> ------ Original Message ------
>> From: "Jakub Hrozek" <jhrozek(a)redhat.com>
>> To: sssd-devel(a)lists.fedorahosted.org
>> Sent: 7/29/2014 10:37:46 AM
>> Subject: Re: [SSSD] Trying to ssh with sssd/pam configuration
>>
>> >On Tue, Jul 29, 2014 at 01:53:17PM +0000, Sterling Sahaydak wrote:
>> >> Hi Jakub,
>> >>
>> >> I'm not sure if simple access is what I need.
>> >>
>> >> I have setup in LDAP:
>> >>
>> >> cn=allowedusers, ou=Groups
>> >> - using attribute: memberUid - and adding the users uid here.
>> >
>> >OK
>> >
>> >>
>> >> ou=Employees, ou=People
>> >> - in Employees have users with objectClass: inetOrgPerson,
>>posixAccount
>> >
>> >OK
>> >
>> >>
>> >> ou=sudoers
>> >> - here have objectClass: sudoRole and creating cn= <username from
>> >>Employees>
>> >> and sudoUser = <username>
>> >
>> >sudo has nothing to do with access control.
>> >
>> >>
>> >> and also have a LDAP Proxy to Active Directory:
>> >> (*Note: for now, I'm commenting this section out and not
connecting,
>> >>but
>> >> need to consider this to activate later)
>> >> - using this setup in slapd.conf:
>> >> database ldap
>> >> suffix "ou=Users,ou=adgroup,dc=ad,dc=something,dc=net"
>> >> uri
ldap://ad1.something.net/
>> >> rebind-as-user
>> >> idassert-bind bindmethod=simple
>>>>binddn="cn=bindingacctname,ou=users,ou=adgroup,dc=ad,dc=something,dc=net"
>> >> credentials="<password>"
>> >> mode=none
>> >> idassert-authzFrom "*"
>> >> chase-referrals yes
>> >> subordinate
>> >>
>> >> So, not sure if simple binding would be correct thing to do???
>> >
>> >Again, not directly connected to access control.
>> >
>> >When you configured sssd.conf with the access_provider, what exactly
>> >were you trying to achieve? What are the expectations on who should be
>> >able to log in to the machine?
>> >_______________________________________________
>> >sssd-devel mailing list
>> >sssd-devel(a)lists.fedorahosted.org
>> >https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
>>
>> _______________________________________________
>> sssd-devel mailing list
>> sssd-devel(a)lists.fedorahosted.org
>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
>_______________________________________________
>sssd-devel mailing list
>sssd-devel(a)lists.fedorahosted.org
>https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel