On Mon, May 07, 2012 at 02:12:23PM +0200, Angel Bosch wrote:
> > No, there is no variable substitution possible at the moment.
> >
>
> so do you plan to implement it? should I file a bug?
>
Feel free to file an RFE..although in the case you are trying to solve,
it wouldn't help you anyway and I'm not sure if it's useful in general.
The ldap_access_filter is anded with a "base filter" inside the SSSD,
which looks something like this, depending on your schema:
(cn=$username)(objectclass=posixUser)
Then the SSSD performs a search with the complete filter and allows
access only if the search yields a single result.
In your specific case, the complete filter would look something like
this:
(&((cn=$username)(objectclass=posixUser)(&(cn=sysadmins)(memberuid=$USER))))
Which wouldn't do what you seem to want, i.e. only allow members of the
sysadmins group.
Unfortunately if you're using the RFC2307 schema, there is no simple way
to create a filter that would point to a specific group.
>
> > Depending on what you are trying to achieve (sounds to me like you
> > wanted
> > to only allow members of the sysadmin group?), would the simple access
> > provider be a better choice?
> >
>
> for some machines this would be enough. must i "stack" providers? can you
> point me to an example using ldap and simple providers?
>
Providers cannot be stacked, sorry, there can only be one provider in a
domain.
You can, however, define two domains that point to the same servers and
differ by the access provider value only.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
