Hi all, I'm jumping in to using sssd-ad here at BU. I'm able to domain join a CentOS7 and pull our AD entries successfully but am having troubles with ad_access_filter to restrict access to a group.
Due to FERPA restrictions here, we can't query memberOf for random people via a machine account, so things like:
ad_access_filter = (memberOf=CN=group-of-admins,OU=XYZ,DC=blah,DC=blah,DC=blah)
won't work. I see from debug level 7 that this translates into a query like:
(&(sAMAccountName=nik)(objectclass=user)(memberOf=CN=group-of-admins,OU=Groups,OU=XYZ,DC=blah,DC=blah,DC=blah))
I've verified independently with ldapsearch that if I do this under the machine account, I don't get anything back. Note that if this query was done in the context of the user just logging in ("nik") then
it would work since I have the privs to see my own memberOf. But, I think (I guess) that the query is being done by SSSD-AD as the machine account.
I've also played around with doing a filter like "(&(objectCategory=group)(CN=group-of-admins))" which does actually return a list of "member:" entries for an ldapsearch when using the machine account privs.
However, if I plug this into ad_access_filter, it's not allowing access I think because of the (&sAMAccountName=…) being a query of a user object whereas the group query is a group object and the filter isn't being satisfied. From looking at the code I think
it's not designed to handle being returned an object which has a list of "member:" entries and looking for the user in that list. SMOP I guess :)
So, misc blathering aside, does anybody have any suggestions on how I should go about restricting access to groups in cases where machine accounts aren't allowed access to the memberOf information for users?
Is there a way to get it via a group filter, or should/could the memberOf query be done under the context and privs of the user accessing it? (I guess that would have implications on caching though…)
Any ideas or suggestions which direction I should go with this? Thanks in advance.
Nik Conwell
Boston University