-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/09/2013 09:08 AM, Wojtak, Greg (Superfly) wrote:
I'm trying to set up sssd with access_provider = ldap. I'm
having
a little trouble getting the ldap_access_filter working the way I
want to.
The way I want to do it is to create a Resource Group in AD that
contains the Unix Team group and then whichever users need access
to the system. So we'd have, say:
cn=Server1AccessGroup,ou=Groups,…. member: cn=Unix Team,ou=Groups,…
member: cn=User A,… member: cn=User B,…
Is there a way to craft the ldap_access_filter based on the above
such that the members of Unix Team and then the two users will be
allowed access?
As an ancillary question to this, I'd like some clarification of
how ldap_access_filter works exactly. Is it simply that the user's
DN who is trying to login needs to match a result of the query
specified in the access filter line?
If you're basing access control entirely off of group membership, then
you would probably have better luck by doing:
access_provider = simple
simple_allow_groups = Server1AccessGroup
This assumes that Server1AccessGroup and "Unix Team" are both Posix
Groups (they have a GID assigned) and are visible when doing 'getent
group Server1AccessGroup'.
The way the access filter works is that it's ANDed with a lookup
string for the user. So it only works based on values that are present
in the *user* entry. So you could create a filter for the presence of
the memberOf=cn=Server1AccessGroup,ou=Groups,…
But the catch here is that AD has only one-level memberOf (it only
lists the direct parent, not any nested parents). Thus with Active
Directory it's probably better to use the simple_allow_groups method,
since that handles the nesting properly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlGLpugACgkQeiVVYja6o6ORGQCdGyvgT9vxHf83AWXW3ujoCfrv
ynUAni/G3ZIk4lC8aLWm/CoeqjWize/4
=tnph
-----END PGP SIGNATURE-----