On Tue, Jun 04, 2013 at 11:12:54AM -0400, Dmitri Pal wrote: > On 06/04/2013 10:13 AM, Bryan Harris wrote: > > Hi all, > > > > I have the following lines in my file /etc/security/access.conf for > > the purpose of my testing. > > > > - : bryan.harris.adm : ALL > > - : ALL : ALL > > > > When I place the following into /etc/pam.d/sshd I can prevent my > > login. The error is "pam_access(sshd:account): access denied for user > > `bryan.harris.adm' from" which looks like exactly what I want to see. > > > > account required pam_access.so > > > > When I place the following into /etc/pam.d/sshd I can once again login > > just fine and access.conf seems to be ignored. > > > > account required pam_access.so listsep=, > > > > The motivation is that I want to only allow the AD group "Linux > > Admins" (without quotes) to be able to login. So eventually I want to > > get a line like - : @Linux Admins : ALL into my > > /etc/security/access.conf file. > > > > Can anyone explain how I can make this work properly? I doubt I can > > convince the Windows guys to not use spaces in their group names but I > > could try. > > > > Or is it better for me to just use ldap_access_filter and leave the > > security up to sssd? The reason I looked into access.conf was to have > > another security layer "just in case", but if that's redundant and > > unnecessary than I suppose I don't need any of this anyway. > > ldap_access_filter seems like the right approach here. I think the > example in the sssd-ldap man page shows the exact line that you are > looking for > > access_provider = ldap > ldap_access_filter = memberOf=cn=Linux Admins,ou=Groups,dc=example,dc=com
Yes, this would work. You can also take a look at the "simple" access provider (man sssd-simple). _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users