On 10/25/2012 11:36 AM, Sumit Bose wrote:
On Thu, Oct 25, 2012 at 10:36:05AM +0200, Tomas Brandysky wrote:
Hello,
we're upgrading from Centos 5.8 to Centos 6.3 and have realized few things have changed in the system.
We're using LDAP authentication (nss_ldap package) on our Centos 5.8 servers and have different PAM ldap configuration files configured to be used for specific PAM services at the moment.
Here is the example of our setup:
/etc/pam.d/service1: auth sufficient pam_ldap.so config=/etc/ldap_service1.conf
/etc/pam.d/service2: auth sufficient pam_ldap.so config=/etc/ldap_service2.conf
Thus we can use specific LDAP filters for various different services as not all users having access to one service also have access to other services on the same server.
Now we're facing the problem to manage the same functionality with System Security Services Daemon (SSSD) which was newly presented with RHEL 6.
We didn't find out so far how to specify custom sssd configuration file (or specific part of the configuration section/domain) in PAM service configuration. According to documentation only these options can be specified when using pam_sss module: [forward_pass] [use_first_pass] [use_authtok].
None of them can be used to make a difference in a ldap filter to be used.
Is there a way how to configure specific search filters depending on PAM service ?
Thank you for any suggestion
I think what you are looking for is covered in https://fedorahosted.org/sssd/ticket/1021.
yes, that's exactly what I miss in sssd. I'm surprised such a feature isn't supported yet as the same goal could be accomplished in RHEL4/5 releases with older methods. I see this as a step back. Is there some real possibility to have this feature in some later release which could come as update in RHEL 6 ?
If you only want to allow/deny access for specific users to specific service you can add an attribute to the user objects in the LDAP server listing the allowed PAM services and use ldap_user_authorized_service. See sssd-ldap man page for details.
I know about ldap_user_authorized_service but I need to specify a combination of service and host access. I can't effort to grant users access to ssh service globaly when they can access ssh only on some of dozens servers we have.
If you want more fine grained access control you might want to have a look at the FreeIPA HBAC rules.
ok, I've not heard about this. Will check it out.
Thank you
Tomas
HTH
bye, Sumit
Regards
Tomas Brandysky _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Thu, Oct 25, 2012 at 01:48:49PM +0200, Tomas Brandysky wrote:
On 10/25/2012 11:36 AM, Sumit Bose wrote:
On Thu, Oct 25, 2012 at 10:36:05AM +0200, Tomas Brandysky wrote:
Hello,
we're upgrading from Centos 5.8 to Centos 6.3 and have realized few things have changed in the system.
We're using LDAP authentication (nss_ldap package) on our Centos 5.8 servers and have different PAM ldap configuration files configured to be used for specific PAM services at the moment.
Here is the example of our setup:
/etc/pam.d/service1: auth sufficient pam_ldap.so config=/etc/ldap_service1.conf
/etc/pam.d/service2: auth sufficient pam_ldap.so config=/etc/ldap_service2.conf
Thus we can use specific LDAP filters for various different services as not all users having access to one service also have access to other services on the same server.
Now we're facing the problem to manage the same functionality with System Security Services Daemon (SSSD) which was newly presented with RHEL 6.
We didn't find out so far how to specify custom sssd configuration file (or specific part of the configuration section/domain) in PAM service configuration. According to documentation only these options can be specified when using pam_sss module: [forward_pass] [use_first_pass] [use_authtok].
None of them can be used to make a difference in a ldap filter to be used.
Is there a way how to configure specific search filters depending on PAM service ?
Thank you for any suggestion
I think what you are looking for is covered in https://fedorahosted.org/sssd/ticket/1021.
yes, that's exactly what I miss in sssd. I'm surprised such a feature isn't supported yet as the same goal could be accomplished in RHEL4/5 releases with older methods. I see this as a step back. Is there some real possibility to have this feature in some later release which could come as update in RHEL 6 ?
I don't think we are tracking this feature request for RHEL6. If you need the functionality in RHEL6, feel to propose it through the support.
If you only want to allow/deny access for specific users to specific service you can add an attribute to the user objects in the LDAP server listing the allowed PAM services and use ldap_user_authorized_service. See sssd-ldap man page for details.
I know about ldap_user_authorized_service but I need to specify a combination of service and host access. I can't effort to grant users access to ssh service globaly when they can access ssh only on some of dozens servers we have.
You can also use a comma-separated list in the ldap_access_order parameter of sssd.conf and then define both service and host for a user.
For a finer-grained access control, you probably want IPA's HBAC as Sumit said.
On 10/25/2012 10:14 AM, Jakub Hrozek wrote:
On Thu, Oct 25, 2012 at 01:48:49PM +0200, Tomas Brandysky wrote:
On 10/25/2012 11:36 AM, Sumit Bose wrote:
On Thu, Oct 25, 2012 at 10:36:05AM +0200, Tomas Brandysky wrote:
Hello,
we're upgrading from Centos 5.8 to Centos 6.3 and have realized few things have changed in the system.
We're using LDAP authentication (nss_ldap package) on our Centos 5.8 servers and have different PAM ldap configuration files configured to be used for specific PAM services at the moment.
Here is the example of our setup:
/etc/pam.d/service1: auth sufficient pam_ldap.so config=/etc/ldap_service1.conf
/etc/pam.d/service2: auth sufficient pam_ldap.so config=/etc/ldap_service2.conf
Thus we can use specific LDAP filters for various different services as not all users having access to one service also have access to other services on the same server.
Now we're facing the problem to manage the same functionality with System Security Services Daemon (SSSD) which was newly presented with RHEL 6.
We didn't find out so far how to specify custom sssd configuration file (or specific part of the configuration section/domain) in PAM service configuration. According to documentation only these options can be specified when using pam_sss module: [forward_pass] [use_first_pass] [use_authtok].
None of them can be used to make a difference in a ldap filter to be used.
Is there a way how to configure specific search filters depending on PAM service ?
Thank you for any suggestion
I think what you are looking for is covered in https://fedorahosted.org/sssd/ticket/1021.
yes, that's exactly what I miss in sssd. I'm surprised such a feature isn't supported yet as the same goal could be accomplished in RHEL4/5 releases with older methods. I see this as a step back. Is there some real possibility to have this feature in some later release which could come as update in RHEL 6 ?
I don't think we are tracking this feature request for RHEL6. If you need the functionality in RHEL6, feel to propose it through the support.
If you only want to allow/deny access for specific users to specific service you can add an attribute to the user objects in the LDAP server listing the allowed PAM services and use ldap_user_authorized_service. See sssd-ldap man page for details.
I know about ldap_user_authorized_service but I need to specify a combination of service and host access. I can't effort to grant users access to ssh service globaly when they can access ssh only on some of dozens servers we have.
You can also use a comma-separated list in the ldap_access_order parameter of sssd.conf and then define both service and host for a user.
For a finer-grained access control, you probably want IPA's HBAC as Sumit said.
And the last resort if everything else fails you can still use nss & pam instead of SSSD if you prefer to (will be a pity but... oh well it is hard to deliver all the features day one). It is still included into the distribution for the cases when SSSD does not have some functionality that would be regarded as regression in comparison to existing PAM & NSS capabilities.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org