Hi Sumit,
I've seen the gpo option in the man-pages, but I've got a problem to use it.
I'm supporting several Red-hat/Centos systems for different Teams.
We talk about more than 500 Systems for more than 10 Teams with various
access-rights.
For auditing reasons I'd like to map the system-access-rights to AD-Groups.
Then I'm able to generate audit-reports.
If it's only possible to do this with sssd via gpo, I have to create al
lot of gpo's.
I don't want to use the IDM (IPA) to keep it simple, if it's possible.
Or is this the only/prefered way?
Kind regards
Andreas
On 19.03.2020 16:49, Sumit Bose wrote:
On Thu, Mar 19, 2020 at 04:12:05PM +0100, Andreas Schoon wrote:
> Hi,
>
> I'm using the sssd (centos7) combined with microsoft ad (2016) and I'm
> searching for a service-based filter-option.
>
> My plan is to grand access to the service, based on groupmembership in ad.
Hi,
please use sssd-users(a)lists.fedorahosted.org next time.
Please check the ad_gpo_access_control option and the following in man
sssd-ad. sshd is is by default in ad_gpo_map_remote_interactive and you
can add the PAM service name of radius e.g. to ad_gpo_map_service.
HTH
bye,
Sumit
> Is there any way to do this?
>
> Example:
>
> Member of ad-Group : sssh_user can connect via ssh to the server, Member
> of ad-Group : rad_user can use the radius-deamon on the server
>
> [sshd]
>
> ad_access_filter =
>
FOREST:xxx.yy:(memberOf:1.2.840.113556.1.4.1941:=CN=ssh_user,OU=linux,OU=Test,DC=xxx,DC=yy)
>
> [radiusd]
>
> ad_access_filter =
>
FOREST:xxx.yy:(memberOf:1.2.840.113556.1.4.1941:=CN=rad_user,OU=linux,OU=Test,DC=xxx,DC=yy)
>
>
> I can't see a solution in the manpages ...
>
> In the Past I've combined the Groups and used the top one for the
> filter, but that's not secure ...
>
> Kind Regards
>
> Andreas
>
>
>
> --
> Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
>
https://www.avast.com/antivirus
--
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus