Hi,
I'm currently working on an sssd configuration to replace a set of legacy
authentication and authorization mechanisms on several hundred Linux systems in our
department - they're currently supported via shared /etc/passwd and /etc/group files.
I've got access, user and group information all working well via pam and sssd and am
now trying to find a solution to the authorisation requirements. Previously this was
managed via puppet-distributed changes to /etc/pam.d with a list of users/groups per
machine stored in the puppet nodes files.
I'd like to move to a setup where each machine (or class of machine) just pulls the
list of allowed unix groups from it's own node in OpenLDAP.
Is there anything available in sssd.conf that would allow the ldap access provider to pull
back a list of allowed groups from ldap, rather than listing them explicitly? Sort of a
hybrid between the simple_allow_groups and ldap_access_filter?
e.g. What I would love to do
access_provider = ldap
ldap_allow_groups_dn = cn=MachineA,ou=machines,dc=network,dc=com
Where the cn=MachineA object is a groupOfNames that would look something like:
objectClass: groupOfNames
objectClass: top
cn: MachineA
description: Posix groups whose users are allowed to access MachineA
member: root
member: localusers
member: adminusers
member: webusers
I'd much rather have the lists of groups allowed to access a machine managed from
LDAP, rather than directly coded into sssd.conf, or alternatively, via pam_listfile. Is
there any way of enabling this in the current version of sssd, or emulating it somehow via
ldap_access_filter?
Cheers,
John
Show replies by date