Thanks for the help. Would a similar solution be to set the
ldap_access_filter to (&(cn=unix team,Š)(cn=server1access,...)) with the
server1access group containing the member's dn's? The reason I ask this
is so that we can avoid having to assign gidnumbers to these groups?
--
Greg Wojtak
Senior Unix Systems Engineer
Office: (313) 373-4306
Mobile: (734) 718-8472
On 5/9/13 9:38 AM, "Stephen Gallagher" <sgallagh(a)redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/09/2013 09:08 AM, Wojtak, Greg (Superfly) wrote:
> I'm trying to set up sssd with access_provider = ldap. I'm having
> a little trouble getting the ldap_access_filter working the way I
> want to.
>
> The way I want to do it is to create a Resource Group in AD that
> contains the Unix Team group and then whichever users need access
> to the system. So we'd have, say:
>
> cn=Server1AccessGroup,ou=Groups,Š. member: cn=Unix Team,ou=Groups,Š
> member: cn=User A,Š member: cn=User B,Š
>
>
> Is there a way to craft the ldap_access_filter based on the above
> such that the members of Unix Team and then the two users will be
> allowed access?
>
> As an ancillary question to this, I'd like some clarification of
> how ldap_access_filter works exactly. Is it simply that the user's
> DN who is trying to login needs to match a result of the query
> specified in the access filter line?
>
If you're basing access control entirely off of group membership, then
you would probably have better luck by doing:
access_provider = simple
simple_allow_groups = Server1AccessGroup
This assumes that Server1AccessGroup and "Unix Team" are both Posix
Groups (they have a GID assigned) and are visible when doing 'getent
group Server1AccessGroup'.
The way the access filter works is that it's ANDed with a lookup
string for the user. So it only works based on values that are present
in the *user* entry. So you could create a filter for the presence of
the memberOf=cn=Server1AccessGroup,ou=Groups,Š
But the catch here is that AD has only one-level memberOf (it only
lists the direct parent, not any nested parents). Thus with Active
Directory it's probably better to use the simple_allow_groups method,
since that handles the nesting properly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlGLpugACgkQeiVVYja6o6ORGQCdGyvgT9vxHf83AWXW3ujoCfrv
ynUAni/G3ZIk4lC8aLWm/CoeqjWize/4
=tnph
-----END PGP SIGNATURE-----
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users