What about configuring sssd to make use of the POSIX attributes in AD and define those attributes only for people you want to allow in? Sound the easiest form to me. Ondrej -----Original Message----- From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Wojtak, Greg (Superfly) Sent: Thursday, May 09, 2013 3:09 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Nested Groups in ldap_access_filter? I'm trying to set up sssd with access_provider = ldap. I'm having a little trouble getting the ldap_access_filter working the way I want to. The way I want to do it is to create a Resource Group in AD that contains the Unix Team group and then whichever users need access to the system. So we'd have, say: cn=Server1AccessGroup,ou=Groups,Š. member: cn=Unix Team,ou=Groups,Š member: cn=User A,Š member: cn=User B,Š Is there a way to craft the ldap_access_filter based on the above such that the members of Unix Team and then the two users will be allowed access? As an ancillary question to this, I'd like some clarification of how ldap_access_filter works exactly. Is it simply that the user's DN who is trying to login needs to match a result of the query specified in the access filter line? Thanks! -- Greg Wojtak Senior Unix Systems Engineer Office: (313) 373-4306 Mobile: (734) 718-8472 _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/09/2013 09:08 AM, Wojtak, Greg (Superfly) wrote: > I'm trying to set up sssd with access_provider = ldap. I'm having > a little trouble getting the ldap_access_filter working the way I > want to. > > The way I want to do it is to create a Resource Group in AD that > contains the Unix Team group and then whichever users need access > to the system. So we'd have, say: > > cn=Server1AccessGroup,ou=Groups,Š. member: cn=Unix Team,ou=Groups,Š > member: cn=User A,Š member: cn=User B,Š > > > Is there a way to craft the ldap_access_filter based on the above > such that the members of Unix Team and then the two users will be > allowed access? > > As an ancillary question to this, I'd like some clarification of > how ldap_access_filter works exactly. Is it simply that the user's > DN who is trying to login needs to match a result of the query > specified in the access filter line? > If you're basing access control entirely off of group membership, then you would probably have better luck by doing: access_provider = simple simple_allow_groups = Server1AccessGroup This assumes that Server1AccessGroup and "Unix Team" are both Posix Groups (they have a GID assigned) and are visible when doing 'getent group Server1AccessGroup'. The way the access filter works is that it's ANDed with a lookup string for the user. So it only works based on values that are present in the *user* entry. So you could create a filter for the presence of the memberOf=cn=Server1AccessGroup,ou=Groups,Š But the catch here is that AD has only one-level memberOf (it only lists the direct parent, not any nested parents). Thus with Active Directory it's probably better to use the simple_allow_groups method, since that handles the nesting properly. _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users