When you configured sssd.conf with the access_provider, what exactly
were you trying to achieve? What are the expectations on who should be
able to log in to the machine?

*Trying to achieve those users who have sudoers role be allowed to ssh.
In SudoRole I have 'All' allowed for sudoCommand.

By having the cn=allowedusers in ou=Groups, I can add users from ou=Employees and assign the attribute: memberUid in allowedusers the list of users sudo rights.

FYI - ldapsearch works in retrieving everything correctly as needed.



------ Original Message ------
From: "Jakub Hrozek" <[email protected]>
To: [email protected]
Sent: 7/29/2014 10:37:46 AM
Subject: Re: [SSSD] Trying to ssh with sssd/pam configuration

On Tue, Jul 29, 2014 at 01:53:17PM +0000, Sterling Sahaydak wrote:
  Hi Jakub,

 I'm not sure if simple access is what I need.

 I have setup in LDAP:

 cn=allowedusers, ou=Groups
 - using attribute: memberUid - and adding the users uid here.

OK


 ou=Employees, ou=People
- in Employees have users with objectClass: inetOrgPerson, posixAccount

OK


 ou=sudoers
- here have objectClass: sudoRole and creating cn= <username from Employees>
 and sudoUser = <username>

sudo has nothing to do with access control.


 and also have a LDAP Proxy to Active Directory:
(*Note: for now, I'm commenting this section out and not connecting, but
 need to consider this to activate later)
 - using this setup in slapd.conf:
     database ldap
     suffix "ou=Users,ou=adgroup,dc=ad,dc=something,dc=net"
     uri ldap://ad1.something.net/
     rebind-as-user
     idassert-bind bindmethod=simple
binddn="cn=bindingacctname,ou=users,ou=adgroup,dc=ad,dc=something,dc=net"
                 credentials="<password>"
                 mode=none
     idassert-authzFrom "*"
     chase-referrals yes
     subordinate

 So, not sure if simple binding would be correct thing to do???

Again, not directly connected to access control.

When you configured sssd.conf with the access_provider, what exactly
were you trying to achieve? What are the expectations on who should be
able to log in to the machine?
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to