hi,
is there any variable substitution available in ldap_access_filter?
i'm (still) using posixgroup for user groups and i would like something like:
ldap_access_filter = (&(cn=sysadmins)(memberuid=$USER))
regards,
abosch
On Mon, May 07, 2012 at 01:41:35PM +0200, Angel Bosch wrote:
hi, is there any variable substitution available in ldap_access_filter? i'm (still) using posixgroup for user groups and i would like something like: ldap_access_filter = (&(cn=sysadmins)(memberuid=$USER)) regards, abosch
No, there is no variable substitution possible at the moment.
Depending on what you are trying to achieve (sounds to me like you wanted to only allow members of the sysadmin group?), would the simple access provider be a better choice?
No, there is no variable substitution possible at the moment.
so do you plan to implement it? should I file a bug?
Depending on what you are trying to achieve (sounds to me like you wanted to only allow members of the sysadmin group?), would the simple access provider be a better choice?
for some machines this would be enough. must i "stack" providers? can you point me to an example using ldap and simple providers?
regards,
abosch
On Mon, May 07, 2012 at 02:12:23PM +0200, Angel Bosch wrote:
No, there is no variable substitution possible at the moment.
so do you plan to implement it? should I file a bug?
Feel free to file an RFE..although in the case you are trying to solve, it wouldn't help you anyway and I'm not sure if it's useful in general.
The ldap_access_filter is anded with a "base filter" inside the SSSD, which looks something like this, depending on your schema: (cn=$username)(objectclass=posixUser)
Then the SSSD performs a search with the complete filter and allows access only if the search yields a single result.
In your specific case, the complete filter would look something like this: (&((cn=$username)(objectclass=posixUser)(&(cn=sysadmins)(memberuid=$USER)))) Which wouldn't do what you seem to want, i.e. only allow members of the sysadmins group.
Unfortunately if you're using the RFC2307 schema, there is no simple way to create a filter that would point to a specific group.
Depending on what you are trying to achieve (sounds to me like you wanted to only allow members of the sysadmin group?), would the simple access provider be a better choice?
for some machines this would be enough. must i "stack" providers? can you point me to an example using ldap and simple providers?
Providers cannot be stacked, sorry, there can only be one provider in a domain.
You can, however, define two domains that point to the same servers and differ by the access provider value only.
----- Original Message -----
De: "Jakub Hrozek" jhrozek@redhat.com A: sssd-devel@lists.fedorahosted.org Enviat: dilluns, 7 de maig de 2012 14:42:39 Assumpte: Re: [SSSD] variable substitution in ldap_access_filter On Mon, May 07, 2012 at 02:12:23PM +0200, Angel Bosch wrote:
No, there is no variable substitution possible at the moment.
so do you plan to implement it? should I file a bug?
Feel free to file an RFE..although in the case you are trying to solve, it wouldn't help you anyway and I'm not sure if it's useful in general.
The ldap_access_filter is anded with a "base filter" inside the SSSD, which looks something like this, depending on your schema: (cn=$username)(objectclass=posixUser)
Then the SSSD performs a search with the complete filter and allows access only if the search yields a single result.
In your specific case, the complete filter would look something like this: (&((cn=$username)(objectclass=posixUser)(&(cn=sysadmins)(memberuid=$USER)))) Which wouldn't do what you seem to want, i.e. only allow members of the sysadmins group.
Unfortunately if you're using the RFC2307 schema, there is no simple way to create a filter that would point to a specific group.
Depending on what you are trying to achieve (sounds to me like you wanted to only allow members of the sysadmin group?), would the simple access provider be a better choice?
for some machines this would be enough. must i "stack" providers? can you point me to an example using ldap and simple providers?
Providers cannot be stacked, sorry, there can only be one provider in a domain.
You can, however, define two domains that point to the same servers and differ by the access provider value only.
sorry if this has been discused before, i just landed in sssd world.
why don't make simple_allow_users|groups an option of any provider?
i know some providers have their own filtering mechanism but it makes more sense to me having a global allow|deny_users|groups option.
regards,
muzzol
On Mon, May 07, 2012 at 02:49:33PM +0200, Angel Bosch wrote:
----- Original Message -----
De: "Jakub Hrozek" jhrozek@redhat.com A: sssd-devel@lists.fedorahosted.org Enviat: dilluns, 7 de maig de 2012 14:42:39 Assumpte: Re: [SSSD] variable substitution in ldap_access_filter On Mon, May 07, 2012 at 02:12:23PM +0200, Angel Bosch wrote:
No, there is no variable substitution possible at the moment.
so do you plan to implement it? should I file a bug?
Feel free to file an RFE..although in the case you are trying to solve, it wouldn't help you anyway and I'm not sure if it's useful in general.
The ldap_access_filter is anded with a "base filter" inside the SSSD, which looks something like this, depending on your schema: (cn=$username)(objectclass=posixUser)
Then the SSSD performs a search with the complete filter and allows access only if the search yields a single result.
In your specific case, the complete filter would look something like this: (&((cn=$username)(objectclass=posixUser)(&(cn=sysadmins)(memberuid=$USER)))) Which wouldn't do what you seem to want, i.e. only allow members of the sysadmins group.
Unfortunately if you're using the RFC2307 schema, there is no simple way to create a filter that would point to a specific group.
Depending on what you are trying to achieve (sounds to me like you wanted to only allow members of the sysadmin group?), would the simple access provider be a better choice?
for some machines this would be enough. must i "stack" providers? can you point me to an example using ldap and simple providers?
Providers cannot be stacked, sorry, there can only be one provider in a domain.
You can, however, define two domains that point to the same servers and differ by the access provider value only.
sorry if this has been discused before, i just landed in sssd world.
why don't make simple_allow_users|groups an option of any provider?
i know some providers have their own filtering mechanism but it makes more sense to me having a global allow|deny_users|groups option.
I may have confused you, sorry. What I meant to say was that there can only be one provider type specified per provider. It's perfectly legal to have, say, id_provider=ldap, auth_provider=krb5 and access_provider=simple.
It's not supported to configure SSSD so that acess_provider=ldap,simple etc.
On Mon, 2012-05-07 at 15:25 +0200, Jakub Hrozek wrote:
I may have confused you, sorry. What I meant to say was that there can only be one provider type specified per provider. It's perfectly legal to have, say, id_provider=ldap, auth_provider=krb5 and access_provider=simple.
It's not supported to configure SSSD so that acess_provider=ldap,simple etc.
In the case of access_provider, I think this is probably worth changing. I can think of several examples where being able to use the ldap access provider and the simple access provider together would be very useful. I've opened an RFE on this: https://fedorahosted.org/sssd/ticket/1326
For the time being, I think that the ID, AUTH and CHPASS providers should remain single-valued, however.
In the case of access_provider, I think this is probably worth changing. I can think of several examples where being able to use the ldap access provider and the simple access provider together would be very useful. I've opened an RFE on this: https://fedorahosted.org/sssd/ticket/1326
For the time being, I think that the ID, AUTH and CHPASS providers should remain single-valued, however.
great! I'll subscribe to this ticket.
thanks a lot for your time, stephen. it's nice to see this project active and healthy.
regards,
abosch
On Mon, 2012-05-07 at 15:50 +0200, Angel Bosch wrote:
In the case of access_provider, I think this is probably worth changing. I can think of several examples where being able to use the ldap access provider and the simple access provider together would be very useful. I've opened an RFE on this: https://fedorahosted.org/sssd/ticket/1326
For the time being, I think that the ID, AUTH and CHPASS providers should remain single-valued, however.
great! I'll subscribe to this ticket.
thanks a lot for your time, stephen. it's nice to see this project active and healthy.
We do our best. I can't promise that this enhancement will land immediately, however. We have a lot on our plates for our 1.9.0 release, so this will likely wait for 1.10.0, unless someone (perhaps you!) would like to help get it done. I'd be happy to mentor anyone that wanted to work on the SSSD.
We do our best. I can't promise that this enhancement will land immediately, however. We have a lot on our plates for our 1.9.0 release, so this will likely wait for 1.10.0, unless someone (perhaps you!) would like to help get it done. I'd be happy to mentor anyone that wanted to work on the SSSD.
I'm overwhelmed for an imminent migration of all our environment, but thanks for the offering.
I'll try to workaround those limitations for now.
regards,
abosch
sssd-devel@lists.fedorahosted.org
-
Angel Bosch -
Jakub Hrozek -
Stephen Gallagher