[SSSD-users] Re: ad_access_filter and splitting group listing with backslash
On Fri, Oct 05, 2018 at 12:25:08PM +0200, Michal Židek wrote: > On 09/27/2018 10:55 PM, Tom wrote: > > FYI tested this and though it doesn’t work for ad_access_filter it does for > > the ldap_access_filter . Any reason why one works but not the other? > > Hi, > > I would like to see logs in this case in order to > undrestand where the issue may be. > > If the sssd does not even start and logs show that the option > could not be parsed then it could be an issue in libini. > > If it fails later then maybe we handle the multiline option > badly in SSSD. > > Also I am not sure what 'doesn't work' in this context means. Is > the filter not effective or is SSSD failing to start/do some > operation? To put a little more context, the only difference between the ldap_access_filter and ad_access_filter should be that the former use whatever ldap authentiation you configure (bind DN, SASL GSSAPI, ...) and the latter re-uses the GSSAPI authenticated connection that the ID provider uses. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: ad_access_filter and splitting group listing with backslash
On 09/27/2018 10:55 PM, Tom wrote: FYI tested this and though it doesn’t work for ad_access_filter it does for the ldap_access_filter . Any reason why one works but not the other? Hi, I would like to see logs in this case in order to undrestand where the issue may be. If the sssd does not even start and logs show that the option could not be parsed then it could be an issue in libini. If it fails later then maybe we handle the multiline option badly in SSSD. Also I am not sure what 'doesn't work' in this context means. Is the filter not effective or is SSSD failing to start/do some operation? Thanks, Michal Cheers, Tom Sent from my iPhone On Sep 26, 2018, at 12:11 AM, TomK wrote: Hey All, Given this example below which spans the entire line: ad_access_filter = (|(memberOf=CN=group-of -admins,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -managers,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -minions,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -analysts,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -limited,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -viewers,OU=XYZ,DC=blah,DC=blah,DC=blah)) Has anyone tried to use a backslash to split the line like this? ad_access_filter = (| \ (memberOf=CN=group-of-admins,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-managers,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-minions,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-analysts,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-limited,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-viewers,OU=XYZ,DC=blah,DC=blah,DC=blah)) Or would the backslashes get interpreted when SSSD reads the file? -- Cheers, Tom K. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: ad_access_filter and splitting group listing with backslash
FYI tested this and though it doesn’t work for ad_access_filter it does for the ldap_access_filter . Any reason why one works but not the other? Cheers, Tom Sent from my iPhone > On Sep 26, 2018, at 12:11 AM, TomK wrote: > > Hey All, > > Given this example below which spans the entire line: > > ad_access_filter = (|(memberOf=CN=group-of > -admins,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of > -managers,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of > -minions,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of > -analysts,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of > -limited,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of > -viewers,OU=XYZ,DC=blah,DC=blah,DC=blah)) > > Has anyone tried to use a backslash to split the line like this? > > ad_access_filter = (| \ > (memberOf=CN=group-of-admins,OU=XYZ,DC=blah,DC=blah,DC=blah) \ > (memberOf=CN=group-of-managers,OU=XYZ,DC=blah,DC=blah,DC=blah) \ > (memberOf=CN=group-of-minions,OU=XYZ,DC=blah,DC=blah,DC=blah) \ > (memberOf=CN=group-of-analysts,OU=XYZ,DC=blah,DC=blah,DC=blah) \ > (memberOf=CN=group-of-limited,OU=XYZ,DC=blah,DC=blah,DC=blah) \ > (memberOf=CN=group-of-viewers,OU=XYZ,DC=blah,DC=blah,DC=blah)) > > Or would the backslashes get interpreted when SSSD reads the file? > > -- > Cheers, > Tom K. > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
