Re: [Freeipa-users] Freeipa and limiting access by group (memberOf)
On Thu, May 18, 2017 at 10:37:57AM -0600, Janet Houser wrote: > > > On 5/17/17 9:22 AM, Jakub Hrozek wrote: > > On Tue, May 16, 2017 at 07:56:38AM -0600, Janet Houser wrote: > > > Hi Folks, > > > > > > Last week I deployed freeipa on a CentOS7 VM. The installation went very > > > smoothly using: > > > > > > yum install ipa-server > > > > > > and > > > > > > ipa-server-install > > > > > > > > > My issue is with connecting a CentOS 7 client. On my client, I yum > > > installed ipa-client and ipa-admintools. > > > I than ran "ipa-client-install" and answered the setup questions (very > > > easy and smooth). > > > > > > The "getent passwd" command didn't return any users, but the "getent > > > passwd > > > jdoe" does give the information > > > for the user. I found in the archives that I can set "enumerate=True" > > > so I > > > get a complete user listing. That > > > seems to be working, and I was able to login with the account "jdoe" > > > (brilliant!). > > I would discourage enumeration especially if you're planning on a large > > domain. The performance right now is not great. Moreover, the way the > > trusted accounts are retrieved doesn't support enumeration at all > > either. > > Copy that. Enumeration is set to true just for testing. It will be > disabled later. > > > > > Problem 1: > > > > > > > > > I created a user group on the ipa server with the following attributes: > > > > > > name = xyx, gid = 1000 > > > > > > I changed the user "jdoe" to have gid = 1000, but when I ssh into the ipa > > > client, I get the following message after > > > logging in: > > > > > > /usr/bin/id: cannot find name for group ID 1000 > > > > > > A "getent group" command does list the group: xyz:*:1000: > > > > > > A "groups" command issued by the user shows: xyz > > > > > > files created by the user show the correct ownership and group. > > I would first try to remove the sssd caches because uid/gid renumbering > > doesn't work great. If that doesn't help, please check the sssd logs. > > Didn't work, and the logs aren't really being helpful, but I'll dig further. Feel free to paste some sanitized snippet here.. > > > > > By the way, 1000 is quite low and would most probably clash with local > > accounts. I would strongly suggest to stick to ID numbers within the > > configured ID range (ipa idrange-find) > > > > > Problem 2: > > > === > > > > > > I've been looking through the freeipa groups and literature and I can't > > > figure out how to limit user login access to > > > an ipa client by a memberOf group. > > > > > > When I was using CentOS 6 and 7 I could use the nslcd.conf file to put in > > > a > > > group filter like: > > > > > > passwd > > > (&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu)) > > > > > > > > > I tried changing the access_provider to simple and using the > > > "simply_allow_groups = test", but that didn't work. > > > However, using "access_provider = ipa" and "filter_users" did allow me to > > > filter out a user from the "getent passwd" command. > > > > > > I tried changing the access_provider to ldap and using the filter > > > "ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu > > > but that failed too. > > Please check out "ipa help hbac" > > > I just realized hbac is host based access control. I can't really use this > since I need to restrict certain users > to resources. Since freeipa is based on directory server 389, I'm assuming > it can do group / memberOf filtering. What are the resources we're talking about here? > > Any suggestions would be appreciated. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa and limiting access by group (memberOf)
On Tue, May 16, 2017 at 07:56:38AM -0600, Janet Houser wrote: > Hi Folks, > > Last week I deployed freeipa on a CentOS7 VM. The installation went very > smoothly using: > > yum install ipa-server > > and > > ipa-server-install > > > My issue is with connecting a CentOS 7 client. On my client, I yum > installed ipa-client and ipa-admintools. > I than ran "ipa-client-install" and answered the setup questions (very > easy and smooth). > > The "getent passwd" command didn't return any users, but the "getent passwd > jdoe" does give the information > for the user. I found in the archives that I can set "enumerate=True" so I > get a complete user listing. That > seems to be working, and I was able to login with the account "jdoe" > (brilliant!). I would discourage enumeration especially if you're planning on a large domain. The performance right now is not great. Moreover, the way the trusted accounts are retrieved doesn't support enumeration at all either. > > Problem 1: > > > I created a user group on the ipa server with the following attributes: > >name = xyx, gid = 1000 > > I changed the user "jdoe" to have gid = 1000, but when I ssh into the ipa > client, I get the following message after > logging in: > > /usr/bin/id: cannot find name for group ID 1000 > > A "getent group" command does list the group: xyz:*:1000: > > A "groups" command issued by the user shows: xyz > > files created by the user show the correct ownership and group. I would first try to remove the sssd caches because uid/gid renumbering doesn't work great. If that doesn't help, please check the sssd logs. By the way, 1000 is quite low and would most probably clash with local accounts. I would strongly suggest to stick to ID numbers within the configured ID range (ipa idrange-find) > > Problem 2: > === > > I've been looking through the freeipa groups and literature and I can't > figure out how to limit user login access to > an ipa client by a memberOf group. > > When I was using CentOS 6 and 7 I could use the nslcd.conf file to put in a > group filter like: > > passwd > (&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu)) > > > I tried changing the access_provider to simple and using the > "simply_allow_groups = test", but that didn't work. > However, using "access_provider = ipa" and "filter_users" did allow me to > filter out a user from the "getent passwd" command. > > I tried changing the access_provider to ldap and using the filter > "ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu > but that failed too. Please check out "ipa help hbac" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Freeipa and limiting access by group (memberOf)
Hi Folks, Last week I deployed freeipa on a CentOS7 VM. The installation went very smoothly using: yum install ipa-server and ipa-server-install My issue is with connecting a CentOS 7 client. On my client, I yum installed ipa-client and ipa-admintools. I than ran "ipa-client-install" and answered the setup questions (very easy and smooth). The "getent passwd" command didn't return any users, but the "getent passwd jdoe" does give the information for the user. I found in the archives that I can set "enumerate=True" so I get a complete user listing. That seems to be working, and I was able to login with the account "jdoe" (brilliant!). Problem 1: I created a user group on the ipa server with the following attributes: name = xyx, gid = 1000 I changed the user "jdoe" to have gid = 1000, but when I ssh into the ipa client, I get the following message after logging in: /usr/bin/id: cannot find name for group ID 1000 A "getent group" command does list the group: xyz:*:1000: A "groups" command issued by the user shows: xyz files created by the user show the correct ownership and group. Problem 2: === I've been looking through the freeipa groups and literature and I can't figure out how to limit user login access to an ipa client by a memberOf group. When I was using CentOS 6 and 7 I could use the nslcd.conf file to put in a group filter like: passwd (&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu)) I tried changing the access_provider to simple and using the "simply_allow_groups = test", but that didn't work. However, using "access_provider = ipa" and "filter_users" did allow me to filter out a user from the "getent passwd" command. I tried changing the access_provider to ldap and using the filter "ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu but that failed too. I'd appreciate any suggestions Thanks, - signed an "ipa newbie" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
