Hello

I am new to sssd. I have setup a CentOS sssd (1.8.0) and
LDAP authentication. The LDAP stuff seems to work. I want
to restrict logins to users of certain netgroups. Usually
we do this with "compat" in /etc/nsswitch.conf and entries
like "+@groupname" in /etc/passwd.

Does this mechanism work with sssd? Right now I have:

passwd:     files sss
shadow:     files sss
group:      files sss

and it seems that all users from the users LDAP subtree could
login, "getent passwd" shows all LDAP users.

If I change this to

passwd:     compat
shadow:     compat
group:      compat
passwd_compat:  sss
group_compat:   sss

"getent passwd" only shows local users from the passwd file.


Configure sssd.conf:
ldap_netgroup_search_base = ou=Netgroup,dc=example,dc=com
Restart sssd
service sssd start

Append the following lines to the /etc/security/access.conf file. This will allow local root access, allow the sys_netgroup netgroup, and deny all others.

 +:root:LOCAL
 +:@sys_netgroup:ALL
 -:ALL:ALL 


Edit nsswitch.conf to look for authenticaiton info in sssd. Remember to do this for passwd, shadow, group, and netgroup

passwd: sss files
shadow: sss files
group: sss files
netgroup: sss

Regards

Arpit Tolani