[deployment-guide/comm-rel: 266/727] Trac #457: update info about access_provider=ldap and access filter to SSSD chapter
Jaromir Hradilek
jhradile at fedoraproject.org
Tue Oct 19 12:46:56 UTC 2010
commit cb2a8a32b3427f73d38a95e84acd51148e757577
Author: David O'Brien <davido at redhat.com>
Date: Thu Aug 5 14:04:46 2010 +1000
Trac #457: update info about access_provider=ldap and access filter to SSSD chapter
en-US/SSSD.xml | 60 +++++++++++++++++++++++++++++++++++++++++--------------
1 files changed, 44 insertions(+), 16 deletions(-)
---
diff --git a/en-US/SSSD.xml b/en-US/SSSD.xml
index 9472026..96a40c3 100644
--- a/en-US/SSSD.xml
+++ b/en-US/SSSD.xml
@@ -351,7 +351,6 @@ session optional pam_console.so
</note>
</section>
-
</section>
<section>
@@ -361,31 +360,36 @@ session optional pam_console.so
<secondary>configuring in SSSD</secondary>
</indexterm>
- <para>SSSD provides a rudimentary access control mechanism based on the implementation of access or deny lists of usernames. This mechanism is known as the <firstterm>Simple Access Provider</firstterm>, and is configured in the <literal>[domain/<<replaceable>NAME</replaceable>>]</literal> sections of the <filename>/etc/sssd/sssd.conf</filename> file. To enable the Simple Access Provider, you need to set the <option>access_provider</option> option to <literal>simple</literal>, and then add usernames as a comma-separated list to either the <option>simple_allow_users</option> or <option>simple_deny_users</option> options.</para>
-
- <formalpara>
- <title>Using the Simple Access Provider</title>
+ <para>
+ SSSD provides a rudimentary access control mechanism, offering two solutions based on the value of the <option>access_provider</option> option in the <literal>[domain/<<replaceable>NAME</replaceable>>]</literal> section in the <filename>/etc/sssd/sssd.conf</filename> file.
+ </para>
+ <section><title>The Simple Access Provider</title>
<para>
- By using the Simple Access Provider, you can continue to support a number of network logins to maintain common network accounts on company or department laptops, but you might want to restrict the use of a particular laptop to one or two users. This means that even if a different user authenticated successfully against the same authentication provider, the Simple Access Provider would prevent that user from gaining access.
+ The first of these solutions is known as the <firstterm>Simple Access Provider</firstterm>, and is based on the implementation of access or deny lists of usernames. To enable the Simple Access Provider, you need to set the <option>access_provider</option> option to <literal>simple</literal>, and then add usernames as a comma-separated list to either the <option>simple_allow_users</option> or <option>simple_deny_users</option> options.
</para>
- </formalpara>
+ <formalpara>
+ <title>Using the Simple Access Provider</title>
+ <para>
+ By using the Simple Access Provider, you can continue to support a number of network logins to maintain common network accounts on company or department laptops, but you might want to restrict the use of a particular laptop to one or two users. This means that even if a different user authenticated successfully against the same authentication provider, the Simple Access Provider would prevent that user from gaining access.
+ </para>
+ </formalpara>
- <para>
- The following example demonstrates the use of the Simple Access Provider to grant access to two users. This example assumes that SSSD is correctly configured and <systemitem class="domainname">example.com</systemitem> is one of the domains specified in the <literal>[sssd]</literal> section, and only shows the Simple Access Provider-specific options.
- </para>
+ <para>
+ The following example demonstrates the use of the Simple Access Provider to grant access to two users. This example assumes that SSSD is correctly configured and <systemitem class="domainname">example.com</systemitem> is one of the domains specified in the <literal>[sssd]</literal> section, and only shows the Simple Access Provider-specific options.
+ </para>
<screen>[domain/example.com]
access_provider = simple
simple_allow_users = user1, user2</screen>
- <note>
- <para>
- The Local ID provider does not support <option>simple</option> as an access provider.
- </para>
- </note>
+ <note>
+ <para>
+ The Local ID provider does not support <option>simple</option> as an access provider.
+ </para>
+ </note>
- <formalpara>
+ <formalpara>
<title>Access Control Rules</title>
<indexterm>
<primary>Access Control</primary>
@@ -417,6 +421,30 @@ simple_allow_users = user1, user2</screen>
</important>
</para>
</formalpara>
+ </section>
+
+ <section><title>The LDAP Access Provider</title>
+ <para>
+ The second access control solution uses the LDAP server itself as the access provider (<option>access_provider=ldap</option>) and the associated filter option (<option>ldap_access_filter</option>) to specify which users are granted access to the specified host. Note that these two options are codependent; if you use LDAP as your access provider then you must specify a value for the <option>ldap_access_filter</option> option, otherwise all users will be denied access. If you are not using LDAP as your access provider, then the <option>ldap_access_filter</option> option has no effect.
+ </para>
+ <formalpara><title>Using the LDAP Access Provider</title>
+ <para>
+ The following example demonstrates the use of the LDAP Access Provider to grant access to members of the "allowedusers" group in LDAP. This example assumes that SSSD is correctly configured and <systemitem class="domainname">example.com</systemitem> is one of the domains specified in the <literal>[sssd]</literal> section, and only shows the LDAP Access Provider-specific options.
+ </para>
+ </formalpara>
+<screen>[domain/example.com]
+access_provider = ldap
+ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com</screen>
+ <note>
+ <para>
+ Offline caching for this feature is limited to determining whether or not the user's last online login attempt was successful. If they were granted access during their last login, they will continue to be granted access while offline, and vice-versa.
+ </para>
+ </note>
+ <para>
+ Refer to the <citetitle>sssd-ldap</citetitle> manual page for more information about using the LDAP Access Provider.
+ </para>
+ </section>
+
</section>
<section id="sect-SSSD_User_Guide-Configuring_Domains-Configuring_Failover">
More information about the docs-commits
mailing list