We are using SSSD for authentication using LDAP. And I filter the user access using *simple_allow_groups* as follows:
access_provider = simple simple_allow_groups = Computer Admins
Is it possible to get a list of ONLY allowed users using *getent*?
There is an option enumeration, but this lists all users.
I am only interested in the allowed users.
What you may want to do is start limiting the search base for users and groups if you want to limit visibility. I proposed an RFE to make this easier in SSSD, but it is not something that has much focus at this point.
On 05/26/2017 02:47 PM, Ali, Saqib wrote:
We are using SSSD for authentication using LDAP. And I filter the user access using *simple_allow_groups* as follows:
|access_provider = simple simple_allow_groups = Computer Admins |
Is it possible to get a list of ONLY allowed users using *getent*?
There is an option enumeration, but this lists all users.
I am only interested in the allowed users.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
The reason we want to get a list of "allowed" users is for Auditing. We have system that goes out and checks allowed users on a system and cross-validates that against a central DB.
So we just need a way to get a list of users that would be allowed to login given the *simple_allow_groups *config in sssd.conf file.
---- https://twitter.com/secure_UX
On Fri, May 26, 2017 at 12:00 PM, Striker Leggette striker@terranforge.com wrote:
What you may want to do is start limiting the search base for users and groups if you want to limit visibility. I proposed an RFE to make this easier in SSSD, but it is not something that has much focus at this point.
On 05/26/2017 02:47 PM, Ali, Saqib wrote:
We are using SSSD for authentication using LDAP. And I filter the user access using *simple_allow_groups* as follows:
access_provider = simple simple_allow_groups = Computer Admins
Is it possible to get a list of ONLY allowed users using *getent*?
There is an option enumeration, but this lists all users.
I am only interested in the allowed users.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
It sounds like you may just want to modify the system so that when it audits, it knows to parse sssd.conf for allowed_users and allowed_groups. I am not sure of an easier way to do this.
On 05/26/2017 03:05 PM, Ali, Saqib wrote:
The reason we want to get a list of "allowed" users is for Auditing. We have system that goes out and checks allowed users on a system and cross-validates that against a central DB.
So we just need a way to get a list of users that would be allowed to login given the *simple_allow_groups *config in sssd.conf file.
On Fri, May 26, 2017 at 12:00 PM, Striker Leggette <striker@terranforge.com mailto:striker@terranforge.com> wrote:
What you may want to do is start limiting the search base for users and groups if you want to limit visibility. I proposed an RFE to make this easier in SSSD, but it is not something that has much focus at this point. On 05/26/2017 02:47 PM, Ali, Saqib wrote:We are using SSSD for authentication using LDAP. And I filter the user access using *simple_allow_groups* as follows: |access_provider = simple simple_allow_groups = Computer Admins | Is it possible to get a list of ONLY allowed users using *getent*? There is an option enumeration, but this lists all users. I am only interested in the allowed users. _______________________________________________ sssd-users mailing list --sssd-users@lists.fedorahosted.org <mailto:sssd-users@lists.fedorahosted.org> To unsubscribe send an email tosssd-users-leave@lists.fedorahosted.org <mailto:sssd-users-leave@lists.fedorahosted.org>_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org <mailto:sssd-users@lists.fedorahosted.org> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org <mailto:sssd-users-leave@lists.fedorahosted.org>
there has to be better way than that :)
---- https://twitter.com/secure_UX
On Fri, May 26, 2017 at 12:09 PM, Striker Leggette striker@terranforge.com wrote:
It sounds like you may just want to modify the system so that when it audits, it knows to parse sssd.conf for allowed_users and allowed_groups. I am not sure of an easier way to do this.
On 05/26/2017 03:05 PM, Ali, Saqib wrote:
The reason we want to get a list of "allowed" users is for Auditing. We have system that goes out and checks allowed users on a system and cross-validates that against a central DB.
So we just need a way to get a list of users that would be allowed to login given the *simple_allow_groups *config in sssd.conf file.
On Fri, May 26, 2017 at 12:00 PM, Striker Leggette < striker@terranforge.com> wrote:
What you may want to do is start limiting the search base for users and groups if you want to limit visibility. I proposed an RFE to make this easier in SSSD, but it is not something that has much focus at this point.
On 05/26/2017 02:47 PM, Ali, Saqib wrote:
We are using SSSD for authentication using LDAP. And I filter the user access using *simple_allow_groups* as follows:
access_provider = simple simple_allow_groups = Computer Admins
Is it possible to get a list of ONLY allowed users using *getent*?
There is an option enumeration, but this lists all users.
I am only interested in the allowed users.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On (26/05/17 14:34), Ali, Saqib wrote:
there has to be better way than that :)
Sure, patches are welcome :-)
But there is a little bit better way then simple access provider. You can setup rules on server side. * HBAC(host based access control) with freeIPA * GPO with Active Directory
Then you needn't parse anything on client side and auditing will be simpler.
LS
Hi Lukas,
We don't have freeipa. Is it possible to do host based access control using just ldap and sssd?
On May 27, 2017 1:23 AM, "Lukas Slebodnik" lslebodn@redhat.com wrote:
On (26/05/17 14:34), Ali, Saqib wrote:
there has to be better way than that :)
Sure, patches are welcome :-)
But there is a little bit better way then simple access provider. You can setup rules on server side. * HBAC(host based access control) with freeIPA * GPO with Active Directory
Then you needn't parse anything on client side and auditing will be simpler.
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On (27/05/17 04:29), Ali, Saqib wrote:
Hi Lukas,
We don't have freeipa. Is it possible to do host based access control using just ldap and sssd?
HBAC is implemented only with access_provider ipa. GPO is implemented only with access_provider ad.
It is not possible to use them with plain ldap.
You might try use pam_hbac https://github.com/jhrozek/pam_hbac But it would still require "porting" ldap schema from freeIPA to your directory server. Maybe it would be simpler to migrate from LDAP -> freeIPA.
I gave you few options and it is up to you to use the best approach. Maybe it would be the simplest to write your own python script which will parse sssd.conf and expand groups to list of users :-)
LS
On Sat, May 27, 2017 at 07:30:29PM +0200, Lukas Slebodnik wrote:
On (27/05/17 04:29), Ali, Saqib wrote:
Hi Lukas,
We don't have freeipa. Is it possible to do host based access control using just ldap and sssd?
HBAC is implemented only with access_provider ipa. GPO is implemented only with access_provider ad.
It is not possible to use them with plain ldap.
You might try use pam_hbac https://github.com/jhrozek/pam_hbac But it would still require "porting" ldap schema from freeIPA to your directory server. Maybe it would be simpler to migrate from LDAP -> freeIPA.
I gave you few options and it is up to you to use the best approach. Maybe it would be the simplest to write your own python script which will parse sssd.conf and expand groups to list of users :-)
This is currently the best approach, since the access checks are defined on the client side, the 'audit' has to also be done on the client side. But it may be still unreliable unless you make sure the configuration can actually resolve all group members.
Because the only way to expand a group to a list of members is 'getent group $groupname' and resolving the group takes the maximum LDAP group nesting into account..so you need to make sure the clients can actually traverse the group nesting hierarchy.
The most reliable way is to try the access control while generating the report. If you have a list of usernames in your domain, you can just call into pam access. With the next sssd release (or with rhel-7.4) you'd be also able to do that with a tool:
# sssctl user-checks admin -s su user: admin action: acct service: su
SSSD nss user lookup result: - user name: admin - user id: 972400000 - group id: 972400000 - gecos: Administrator - home directory: /home/admin - shell: /bin/bash
SSSD InfoPipe user lookup result: - name: admin - uidNumber: 972400000 - gidNumber: 972400000 - gecos: Administrator - homeDirectory: /home/admin - loginShell: /bin/bash
testing pam_acct_mgmt
pam_acct_mgmt: Success <--------- Here
PAM Environment: - no env -
sssd-users@lists.fedorahosted.org
-
Ali, Saqib -
Jakub Hrozek -
Lukas Slebodnik -
Striker Leggette