On Wed, Nov 22, 2017 at 07:56:57PM +0000, Conwell, Nik wrote:
Hi all, I'm jumping in to using sssd-ad here at BU. I'm able
to domain join a CentOS7 and pull our AD entries successfully but am having troubles with
ad_access_filter to restrict access to a group.
Due to FERPA restrictions here, we can't query memberOf for random people via a
machine account, so things like:
ad_access_filter = (memberOf=CN=group-of-admins,OU=XYZ,DC=blah,DC=blah,DC=blah)
won't work. I see from debug level 7 that this translates into a query like:
(&(sAMAccountName=nik)(objectclass=user)(memberOf=CN=group-of-admins,OU=Groups,OU=XYZ,DC=blah,DC=blah,DC=blah))
I've verified independently with ldapsearch that if I do this under the machine
account, I don't get anything back. Note that if this query was done in the context
of the user just logging in ("nik") then it would work since I have the privs to
see my own memberOf. But, I think (I guess) that the query is being done by SSSD-AD as
the machine account.
I've also played around with doing a filter like
"(&(objectCategory=group)(CN=group-of-admins))" which does actually return a
list of "member:" entries for an ldapsearch when using the machine account
privs. However, if I plug this into ad_access_filter, it's not allowing access I
think because of the (&sAMAccountName=…) being a query of a user object whereas the
group query is a group object and the filter isn't being satisfied. From looking at
the code I think it's not designed to handle being returned an object which has a list
of "member:" entries and looking for the user in that list. SMOP I guess :)
So, misc blathering aside, does anybody have any suggestions on how I should go about
restricting access to groups in cases where machine accounts aren't allowed access to
the memberOf information for users? Is there a way to get it via a group filter, or
should/could the memberOf query be done under the context and privs of the user accessing
it? (I guess that would have implications on caching though…)
Would:
access_provider = simple
simple_allow_groups = group-of-admins
do the trick for you?