On 29 Aug 2014, at 18:33, Kyle Flavin <kyle.fla...@gmail.com> wrote:

> I'm doing some testing to integrate FreeIPA into my environment.  I need to 
> setup two domains in sssd.conf; One is my fresh install of IPA, and the other 
> is our legacy LDAP environment.
> 
> I want to use IPA for ssh logins to servers.  I want to be able to grant/deny 
> SSH access through IPA.  However, I still need the legacy LDAP connected to 
> ensure our servers still see the same file level permissions in their content 
> directories.
> 
> I added two domains to SSSD (config below), and it works fine as far as 
> seeing all accounts and groups.  My problem is, SSSD is now allowing SSH 
> access from both IPA and from LDAP.  I don't want users in our legacy LDAP 
> environment to be able to login to servers.  Is there a way to say "allow SSH 
> from this domain", and "disallow SSH from this other domain”?

Can you try auth_provider=none in the domain that is not supposed to 
authenticate?


> 

> Sanitized version of my sssd.conf:
> 
> [domain/newipa.com]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = newipa.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = client.newipa.com
> chpass_provider = ipa
> ipa_server = _srv_, ipaserver.newipa.com
> ldap_tls_cacert = /etc/ipa/ca.crt
> 
> [domain/oldldap.com]
> #legacy LDAP
> ldap_id_use_start_tls = True
> cache_credentials = True
> ldap_search_base = dc=oldldap,dc=com
> id_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
> ldap_uri = ldap://ldapserver.oldldap.com
> #ldap_tls_cacertdir = /etc/openldap/cacerts
> ldap_tls_reqcert = never
> 
> 
> [sssd]
> services = nss, pam, ssh
> config_file_version = 2
> domains = newipa.com, oldldap.com
> 
> 
> Thanks.
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to