Hi Stephen,
We are using sssd to authenticate against AD with using Kerberos and LDAP. The idea is to filter users who are allowed to login based on a LDAP filter. In the AD there are computer objects created with the same name as the hostname of the Linux client.
The filter must be something like is; If the computer object is a member of the group where the user is memberOf then allow the user to login.
So what we want is to authenticate linux clients based on computer objects in the AD. (We are not using winbind)
When using the ldap_access_filter it's not possible to create a LDAP query neither with the ldap_group_search_filter.
Is it possible with sssd to meet our requirements?
The following ldapsearch gives the right output; ldapsearch -h test.local -s sub -x -b ",ou=Groups,dc=test,dc=local" "(&(member=cn=`hostname`,cn=Computers,dc=test,dc=local))"
Thanx and Regards
Thomas Jagt
Hi Stephen,
We are using sssd to authenticate against AD with using Kerberos and LDAP. The idea is to filter users who are allowed to login based on a LDAP filter. In the AD there are computer objects created with the same name as the hostname of the Linux client.
The filter must be something like is; If the computer object is a member of the group where the user is memberOf then allow the user to login.
So what we want is to authenticate linux clients based on computer objects in the AD. (We are not using winbind)
When using the ldap_access_filter it's not possible to create a LDAP query neither with the ldap_group_search_filter.
Is it possible with sssd to meet our requirements?
The following ldapsearch gives the right output; ldapsearch -h test.local -s sub -x -b ",ou=Groups,dc=test,dc=local" "(&(member=cn=`hostname`,cn=Computers,dc=test,dc=local))"
Thanx and Regards
Thomas Jagt
IIRC nothing like this is possible at the moment. The only similar thing I can think of is using 'host' attribute on user object.
Jan
On Tue, 2011-11-01 at 08:42 +0100, Thomas Jagt wrote:
Hi Stephen,
We are using sssd to authenticate against AD with using Kerberos and LDAP. The idea is to filter users who are allowed to login based on a LDAP filter. In the AD there are computer objects created with the same name as the hostname of the Linux client.
The filter must be something like is; If the computer object is a member of the group where the user is memberOf then allow the user to login.
So what we want is to authenticate linux clients based on computer objects in the AD. (We are not using winbind)
When using the ldap_access_filter it's not possible to create a LDAP query neither with the ldap_group_search_filter.
Is it possible with sssd to meet our requirements?
The following ldapsearch gives the right output; ldapsearch -h test.local -s sub -x -b ",ou=Groups,dc=test,dc=local" "(&(member=cn=`hostname`,cn=Computers,dc=test,dc=local))"
The way the ldap_access_filter works is that it always adds whatever the provided filter is to (&(uid=login_user,USER_SEARCH_BASE)(...)) so that it's always testing the user entry.
So if you create a filter (member=cn=`hostname`,cn=Computers,dc=test,dc=local)
it becomes internally:
(&(uid=login_user,USER_SEARCH_BASE)((member=cn=`hostname`,cn=Computers,dc=test,dc=local))
I'm not sure there's any way to accomplish what you're trying to do, which is get a list of the user's groups and then check whether any of them contains the member=hostname entry. We could possibly change the ldap_access_filter command to be a completely generic search, but the problem with that approach is figuring out how to specify the username or the user's groups during the search. Username would be easy, we could make it a template, but telling it to search the user's groups would be very complicated, since we can't know at the time of filter creation how many there would be.
I'm willing to entertain suggestions on how to enable this in such a way that a human being would be able to create the filter.
The other option is that I could help walk you through creating your own access_provider plugin for SSSD. (It's not a documented process because it has to be done in-tree at the moment). But this way, you could craft one to your specific needs.
Just a question: Is not the netgroups supposed to do the same thing?
Ondrej
On 11/01/2011 01:33 PM, Stephen Gallagher wrote:
On Tue, 2011-11-01 at 08:42 +0100, Thomas Jagt wrote:
Hi Stephen,
We are using sssd to authenticate against AD with using Kerberos and LDAP. The idea is to filter users who are allowed to login based on a LDAP filter. In the AD there are computer objects created with the same name as the hostname of the Linux client.
The filter must be something like is; If the computer object is a member of the group where the user is memberOf then allow the user to login.
So what we want is to authenticate linux clients based on computer objects in the AD. (We are not using winbind)
When using the ldap_access_filter it's not possible to create a LDAP query neither with the ldap_group_search_filter.
Is it possible with sssd to meet our requirements?
The following ldapsearch gives the right output; ldapsearch -h test.local -s sub -x -b ",ou=Groups,dc=test,dc=local" "(&(member=cn=`hostname`,cn=Computers,dc=test,dc=local))"
The way the ldap_access_filter works is that it always adds whatever the provided filter is to (&(uid=login_user,USER_SEARCH_BASE)(...)) so that it's always testing the user entry.
So if you create a filter (member=cn=`hostname`,cn=Computers,dc=test,dc=local)
it becomes internally:
(&(uid=login_user,USER_SEARCH_BASE)((member=cn=`hostname`,cn=Computers,dc=test,dc=local))
I'm not sure there's any way to accomplish what you're trying to do, which is get a list of the user's groups and then check whether any of them contains the member=hostname entry. We could possibly change the ldap_access_filter command to be a completely generic search, but the problem with that approach is figuring out how to specify the username or the user's groups during the search. Username would be easy, we could make it a template, but telling it to search the user's groups would be very complicated, since we can't know at the time of filter creation how many there would be.
I'm willing to entertain suggestions on how to enable this in such a way that a human being would be able to create the filter.
The other option is that I could help walk you through creating your own access_provider plugin for SSSD. (It's not a documented process because it has to be done in-tree at the moment). But this way, you could craft one to your specific needs.
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
On Tue, 2011-11-01 at 13:36 +0100, Ondrej Valousek wrote:
Just a question: Is not the netgroups supposed to do the same thing?
That's true. You can probably set up netgroups and use pam_access.so to accomplish this. I don't know anything about setting up netgroups on Active Directory, personally.
On 11/01/2011 01:38 PM, Stephen Gallagher wrote:
That's true. You can probably set up netgroups and use pam_access.so to accomplish this. I don't know anything about setting up netgroups on Active Directory, personally.
AD is (more-less) RFC2307 friendly so yes, it is possible to setup a traditional netgroups in AD - I did not verify its functionality with sssd though. So if it was up to me, I would not rape sssd to provide some functionality if the same thing can be accomplished by a more standard Unix-ish way.
Ondrej
Thanx for the replies. I'll take a look at the solution with the netgroups. And probably thinking about an other solution. On Tue, 2011-11-01 at 13:36 +0100, Ondrej Valousek wrote:
Just a question: Is not the netgroups supposed to do the same thing?
That's true. You can probably set up netgroups and use pam_access.so to accomplish this. I don't know anything about setting up netgroups on Active Directory, personally.
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
sssd-devel@lists.fedorahosted.org