I'm doing some testing to integrate FreeIPA into my environment.  I need to
setup two domains in sssd.conf; One is my fresh install of IPA, and the
other is our legacy LDAP environment.

I want to use IPA for ssh logins to servers.  I want to be able to
grant/deny SSH access through IPA.  However, I still need the legacy LDAP
connected to ensure our servers still see the same file level permissions
in their content directories.

I added two domains to SSSD (config below), and it works fine as far as
seeing all accounts and groups.  My problem is, SSSD is now allowing SSH
access from both IPA and from LDAP.  I don't want users in our legacy LDAP
environment to be able to login to servers.  Is there a way to say "allow
SSH from this domain", and "disallow SSH from this other domain"?

Sanitized version of my sssd.conf:

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = newipa.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.newipa.com
chpass_provider = ipa
ipa_server = _srv_, ipaserver.newipa.com
ldap_tls_cacert = /etc/ipa/ca.crt

#legacy LDAP
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=oldldap,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldapserver.oldldap.com
#ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = never

services = nss, pam, ssh
config_file_version = 2
domains = newipa.com, oldldap.com

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to