-----BEGIN PGP SIGNED MESSAGE-----
On 07/09/2014 05:28 PM, Jakub Hrozek wrote:
On 07 Jul 2014, at 11:00, John Snowdon
> I'm currently working on an sssd configuration to replace a set
> of legacy authentication and authorization mechanisms on several
> hundred Linux systems in our department - they're currently
> supported via shared /etc/passwd and /etc/group files.
> I've got access, user and group information all working well via
> pam and sssd and am now trying to find a solution to the
> authorisation requirements. Previously this was managed via
> puppet-distributed changes to /etc/pam.d with a list of
> users/groups per machine stored in the puppet nodes files. I'd
> like to move to a setup where each machine (or class of machine)
> just pulls the list of allowed unix groups from it's own node in
> Is there anything available in sssd.conf that would allow the
> ldap access provider to pull back a list of allowed groups from
> ldap, rather than listing them explicitly? Sort of a hybrid
> between the simple_allow_groups and ldap_access_filter?
> e.g. What I would love to do
> access_provider = ldap ldap_allow_groups_dn =
> Where the cn=MachineA object is a groupOfNames that would look
> something like:
> objectClass: groupOfNames objectClass: top cn: MachineA
> description: Posix groups whose users are allowed to access
> MachineA member: root member: localusers member: adminusers
> member: webusers
> I'd much rather have the lists of groups allowed to access a
> machine managed from LDAP, rather than directly coded into
> sssd.conf, or alternatively, via pam_listfile. Is there any way
> of enabling this in the current version of sssd, or emulating it
> somehow via ldap_access_filter?
> Cheers, John
The one-sentence answer is not easily, sorry.
The thing about ldap_access_filter to keep in mind is that the
filter is applied on the /user entry/ when the user logs in.
Basically, the ldap_access_filter is AND-ed with a filter that
involves the user entry, if there is a match, the access is
allowed, otherwise the access is denied.
One solution I can think about is to use the memberof overlay with
OpenLDAP and then employ a filter on the client side that would
include memberof=allowed_group_dn. But to be honest, I don’t have
too much experience with the memberof overlay, so I’m not sure if
this suggestion would work for nested groups for example.
I hope the explanation on how the ldap_access_filter works is
still useful. Please let us know if you have any more questions!
I think what John is really asking for is the simple access provider
with one significant enhancement: the ability to specify the contents
of the access-lists in LDAP.
John, this would actually be a rather interesting idea, but I agree
with Dmitri: if this is the level of control that you need, you would
be in a far better position with FreeIPA/Red Hat Identity Management.
It has this concept baked into its Host-Based Access Control mechanism
(which SSSD fully supports). The problem with trying to do this in
plain LDAP is that there exists no standard mechanism for maintaining
this sort of information on the LDAP server (FreeIPA's HBAC rules are
kind of a de-facto standard).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----