Hi Sumit,
I've seen the gpo option in the man-pages, but I've got a problem to use it.
I'm supporting several Red-hat/Centos systems for different Teams.
We talk about more than 500 Systems for more than 10 Teams with various access-rights.
For auditing reasons I'd like to map the system-access-rights to AD-Groups.
Then I'm able to generate audit-reports.
If it's only possible to do this with sssd via gpo, I have to create al lot of gpo's.
I don't want to use the IDM (IPA) to keep it simple, if it's possible.
Or is this the only/prefered way?
Kind regards
Andreas
On 19.03.2020 16:49, Sumit Bose wrote:
On Thu, Mar 19, 2020 at 04:12:05PM +0100, Andreas Schoon wrote:
Hi,
I'm using the sssd (centos7) combined with microsoft ad (2016) and I'm searching for a service-based filter-option.
My plan is to grand access to the service, based on groupmembership in ad.
Hi,
please use sssd-users@lists.fedorahosted.org next time.
Please check the ad_gpo_access_control option and the following in man sssd-ad. sshd is is by default in ad_gpo_map_remote_interactive and you can add the PAM service name of radius e.g. to ad_gpo_map_service.
HTH
bye, Sumit
Is there any way to do this?
Example:
Member of ad-Group : sssh_user can connect via ssh to the server, Member of ad-Group : rad_user can use the radius-deamon on the server
[sshd]
ad_access_filter = FOREST:xxx.yy:(memberOf:1.2.840.113556.1.4.1941:=CN=ssh_user,OU=linux,OU=Test,DC=xxx,DC=yy)
[radiusd]
ad_access_filter = FOREST:xxx.yy:(memberOf:1.2.840.113556.1.4.1941:=CN=rad_user,OU=linux,OU=Test,DC=xxx,DC=yy)
I can't see a solution in the manpages ...
In the Past I've combined the Groups and used the top one for the filter, but that's not secure ...
Kind Regards
Andreas
-- Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. https://www.avast.com/antivirus
-- Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. https://www.avast.com/antivirus
sssd-users@lists.fedorahosted.org