Houser, Janet L. via FreeIPA-users wrote: > Hello, > > I have a new instance of FreeIPA installed (version:4.12.2) on an > AlmaLinux 9.4 server. > > I have created several test users (uidNumber,gidNumber) using posix > groups I created. I also created a non-posix group I'd like to use > as a "restricted" group for login access. > > I have managed to get this to work using HBAC rules. Unfortunately, > when I issue the "getent passwd" command it shows all the > users, not just the ones with login access. > > In the past, I used sssd.conf (or nslcd.conf) to limit access and only > users listed in the "memberOf" group would show when the getent command > was issued. > > I've been trying (very unsuccessfully) to get this to work with my > FreeIPA server. I've tried changing the access_provider = ldap but > the ldap_access_filter doesn't seem to work. > > The sssd.conf file I'm hacking on looks like the following: > > > > [domain/domain.com] > > ipa_uri = ldaps://freeipa.domain.com:636 > enumerate = True > cache_credentials = False > krb5_store_password_if_offline = True > ipa_domain = domain.com > id_provider = ipa > auth_provider = ipa > #--- > #access_provider = ipa > access_provider = ldap > #--- > ldap_tls_cacert = /etc/ipa/ca.crt > ipa_hostname = ldap-test.domain.com > chpass_provider = ipa > ipa_server = _srv_, freeipa.domain.com > ldap_schema=rfc2307bis > ldap_access_order = filter > ldap_access_filter = > (memberOf=cn=test,cn=groups,cn=accounts,dc=domain,dc=com) > ldap_group_search_base = cn=test,cn=groups,cn=accounts,dc=domain,dc=com > > > I've also tried As a test to see if I could limit access to one user > > ldap_access_filter = (|(gidNumber=600)(gidNumber=902)) > ldap_access_filter = (uid=2000) > > > > I'm basically just trying to get some kind of restriction using a group > filter to try to understand what I need in the sssd.conf file so that > getent will > only show authorized users. > > > Is this something that can be set on the server side rather than the > client side? > > I just can't seem to get the correct syntax. I've tried using > access_provider = simple but the "simple_allow_groups" doesn't seem to > restrict the getent > list either.
By definition non-POSIX groups are not visible to SSSD. Non-POSIX groups are used to organize things within IPA only so that the group namespace isn't polluted with things are organization-specific. Like you did for your HBAC group. But that group won't be visible on the system. If you want that group to be visible it will need to be a POSIX group. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
