[SSSD-users] Re: sssd performance on large domains

2016-11-30 Thread zfnoctis
Here are some more runs of nested_group_perf.stp. Running fc25 workstation, kernel 4.8.8-300.fc25.x86_64, gnome desktop. Noticed a small issue with the system tap script

[SSSD-users] Re: Allow user to login only when backend offline

2016-11-30 Thread Michael Ströder
Mario Rossi wrote: > Emergency users should be used when LDAP fails and there is no other way to > get access to the box via ssh. Yes. > I can recall an incident a few years ago where an > admin deleted the bigip_monitoring user thinking that the account is not used. > You would think that

[SSSD-users] Re: generating sss_obfuscate passwords

2016-11-30 Thread Michael Ströder
Mario Rossi wrote: > I think this is the way to go - slapd config to allow certain groups to write > to the tree via dn.regex. Æ-DIR does not rely on host name convention or DIT structure because this is too inflexible in practice. Instead the ACLs work their way along the EER which also allows

[SSSD-users] Re: Allow user to login only when backend offline

2016-11-30 Thread Mario Rossi
On 11/30/2016 02:47 PM, Michael Ströder wrote: Mario Rossi wrote: I understand your pain, I have the same issue. We have a local emargency user in /etc/passwd and initially when we deployed servers everything was good. And then people started to use emergency user on a daily basis 1. Make

[SSSD-users] Re: generating sss_obfuscate passwords

2016-11-30 Thread Mario Rossi
Thanks Michael, I think this is the way to go - slapd config to allow certain groups to write to the tree via dn.regex. Thank you for the link. Mario On 11/30/2016 02:50 PM, Michael Ströder wrote: Mario Rossi wrote: Thank you for the information. We use both Puppet and Ansible to manage our

[SSSD-users] Re: generating sss_obfuscate passwords

2016-11-30 Thread Mario Rossi
We're running 1.13.3 with the exception of a couple of hosts where sudo rules are kept in ldap and where we had to install 1.14.2 from unofficial repos . We had to do that because of random sudo issues in 1.13. On prod I would rather stay on the same version as official repo and not

[SSSD-users] Re: generating sss_obfuscate passwords

2016-11-30 Thread Michael Ströder
Mario Rossi wrote: > Thank you for the information. We use both Puppet and Ansible to manage our > servers. Let me add more details: > > 1. An admin will build 10 new servers via cobbler and use puppet to deploy > settings > 2. The admin will create a ticket to SecurityTeam who manages > openldap

[SSSD-users] Re: Allow user to login only when backend offline

2016-11-30 Thread Michael Ströder
Mario Rossi wrote: > I understand your pain, I have the same issue. We have a local emargency user > in /etc/passwd and initially when we deployed servers everything was good. > And then people started to use emergency user on a daily basis 1. Make sure there's an organizational process to

[SSSD-users] Re: generating sss_obfuscate passwords

2016-11-30 Thread Michael Ströder
Jakub Hrozek wrote: > On Wed, Nov 30, 2016 at 09:41:51AM -0500, Mario Rossi wrote: >> sss_obfuscate is used locally on servers to replace clear text passwords in >> sssd.conf. > > This is really not an SSSD question, but a generic > deployment/configuration question, so whatever you use to push

[SSSD-users] Re: Allow user to login only when backend offline

2016-11-30 Thread Mario Rossi
Kevin, I understand your pain, I have the same issue. We have a local emargency user in /etc/passwd and initially when we deployed servers everything was good. And then people started to use emergency user on a daily basis instead of their ldap accounts to bypass any ldap restrictions or

[SSSD-users] Re: generating sss_obfuscate passwords

2016-11-30 Thread Jakub Hrozek
On Wed, Nov 30, 2016 at 11:01:51AM -0500, Mario Rossi wrote: > Jakub, > > Thank you for the information. We use both Puppet and Ansible to manage our > servers. Let me add more details: > > 1. An admin will build 10 new servers via cobbler and use puppet to deploy > settings > 2. The admin will

[SSSD-users] Re: generating sss_obfuscate passwords

2016-11-30 Thread Mario Rossi
Jakub, Thank you for the information. We use both Puppet and Ansible to manage our servers. Let me add more details: 1. An admin will build 10 new servers via cobbler and use puppet to deploy settings 2. The admin will create a ticket to SecurityTeam who manages openldap to create 10 new

[SSSD-users] Re: sssd_be

2016-11-30 Thread Jakub Hrozek
On Wed, Nov 30, 2016 at 07:14:17AM -0800, Ali, Saqib wrote: > Thanks Jakub. The diagram on your blogpost is really nice. > > So the Sudo Rules are cached by the NSS Responder (sssd_nss)? No, the back end retrieves them from the server and stores the rules into the ldb cache and the sssd_sudo

[SSSD-users] Re: sssd_be

2016-11-30 Thread Ali, Saqib
Thanks Jakub. The diagram on your blogpost is really nice. So the Sudo Rules are cached by the NSS Responder (sssd_nss)? On Wed, Nov 30, 2016 at 7:08 AM, Jakub Hrozek wrote: > On Wed, Nov 30, 2016 at 06:48:59AM -0800, Ali, Saqib wrote: >> Newbie question: What does

[SSSD-users] Re: sssd_be

2016-11-30 Thread Jakub Hrozek
On Wed, Nov 30, 2016 at 06:48:59AM -0800, Ali, Saqib wrote: > Newbie question: What does the be stands for in sssd_be? Back End. > And what is > the function of the sssd_be? https://fedorahosted.org/sssd/wiki/InternalsDocs or https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/

[SSSD-users] Re: generating sss_obfuscate passwords

2016-11-30 Thread Jakub Hrozek
On Wed, Nov 30, 2016 at 09:41:51AM -0500, Mario Rossi wrote: > Hi, > > sss_obfuscate is used locally on servers to replace clear text passwords in > sssd.conf. In our environment we have hundreds of servers and what I usually > do is manually generate the password on a test server. I would like

[SSSD-users] sssd_be

2016-11-30 Thread Ali, Saqib
Newbie question: What does the be stands for in sssd_be? And what is the function of the sssd_be? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] generating sss_obfuscate passwords

2016-11-30 Thread Mario Rossi
Hi, sss_obfuscate is used locally on servers to replace clear text passwords in sssd.conf. In our environment we have hundreds of servers and what I usually do is manually generate the password on a test server. I would like to automate ldap_default_authtok via a php interface or API. This

[SSSD-users] Re: Allow user to login only when backend offline

2016-11-30 Thread Kevin Sullivan
On Tue, Nov 29, 2016 at 5:45 AM, Michael Ströder wrote: > Jakub Hrozek wrote: > > On Tue, Nov 29, 2016 at 03:40:26AM -, kevin4sulli...@gmail.com > wrote: > >> I don't want to > >> cache credentials and I can't guarantee that the account will have been > >> used to login

[SSSD-users] Re: Allow user to login only when backend offline

2016-11-30 Thread Lukas Slebodnik
On (30/11/16 05:47), Simo Sorce wrote: >On Wed, 2016-11-30 at 00:22 +0100, Lukas Slebodnik wrote: >> On (29/11/16 23:05), Michael Ströder wrote: >> >Jakub Hrozek wrote: >> >> Would "sss_seed" help here to add a temporary password for >> >> some 'operator' account even if this operator never logged

[SSSD-users] Re: Allow user to login only when backend offline

2016-11-30 Thread Simo Sorce
On Wed, 2016-11-30 at 00:22 +0100, Lukas Slebodnik wrote: > On (29/11/16 23:05), Michael Ströder wrote: > >Jakub Hrozek wrote: > >> Would "sss_seed" help here to add a temporary password for > >> some 'operator' account even if this operator never logged > >> in? e.g.