On Tue, Jul 29, 2014 at 01:53:17PM +0000, Sterling Sahaydak wrote:
>  Hi Jakub,
> 
> I'm not sure if simple access is what I need.
> 
> I have setup in LDAP:
> 
> cn=allowedusers, ou=Groups
> - using attribute: memberUid - and adding the users uid here.

OK

> 
> ou=Employees, ou=People
> - in Employees have users with objectClass: inetOrgPerson, posixAccount

OK

> 
> ou=sudoers
> - here have objectClass: sudoRole and creating cn= <username from Employees>
> and sudoUser = <username>

sudo has nothing to do with access control.

> 
> and also have a LDAP Proxy to Active Directory:
> (*Note:  for now, I'm commenting this section out and not connecting, but
> need to consider this to activate later)
> - using this setup in slapd.conf:
>     database        ldap
>     suffix          "ou=Users,ou=adgroup,dc=ad,dc=something,dc=net"
>     uri             ldap://ad1.something.net/
>     rebind-as-user
>     idassert-bind   bindmethod=simple
> binddn="cn=bindingacctname,ou=users,ou=adgroup,dc=ad,dc=something,dc=net"
>                 credentials="<password>"
>                 mode=none
>     idassert-authzFrom "*"
>     chase-referrals yes
>     subordinate
> 
> So, not sure if simple binding would be correct thing to do???

Again, not directly connected to access control.

When you configured sssd.conf with the access_provider, what exactly
were you trying to achieve? What are the expectations on who should be
able to log in to the machine?
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to