Thanks again Jakub for replying.

Looking into the documentation I see: (I know you know this by heart)

http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/chap-SSSD_User_Guide-Setting_Up_SSSD.html

*As you mentioned for the 'Simple Access Provider' - I would need to provide a list of 'simple_allow_users = ' and manually update this frequently, which is what I'm trying to avoid.

So, looking into:

8.2.3.2.3.2. The LDAP Access Provider -

The second access control solution uses the LDAP server itself as the access provider (access_provider=ldap) and the associated filter option (ldap_access_filter) to specify which users are granted access to the specified host. Note that these two options are codependent; if you use LDAP as your access provider then you must specify a value for the ldap_access_filter option, otherwise all users will be denied access...

This is what I have:

[domain/LDAP]
access_provider = ldap
auth_provider = ldap
chpass_provider = ldap
id_provider = ldap
sudo_provider = ldap
debug_level = 7
cache_credentials = true
enumerate = false

ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=something,dc=net
ldap_search_base = dc=something,dc=net
ldap_sudo_search_base = ou=sudoers,dc=something,dc=net


I have commented out:
#ldap_user_search_base = ou=Employees,dc=something,dc=net
#ldap_group_search_base = ou=Groups,dc=something,dc=net

Do I need to add these 2 lines back in? (* you mention below: ldap_access_filter is that it's combined with the usual user lookup filter)

Or change?

ldap_access_filter = (&(ldap_access_filter_value)(objectclass=posixAccount)(cn=username))


Thanks!!!

------ Original Message ------
From: "Jakub Hrozek" <[email protected]>
To: [email protected]
Sent: 7/30/2014 5:05:37 AM
Subject: Re: [SSSD] Trying to ssh with sssd/pam configuration

On Tue, Jul 29, 2014 at 02:48:06PM +0000, Sterling Sahaydak wrote:
 When you configured sssd.conf with the access_provider, what exactly
were you trying to achieve? What are the expectations on who should be
 able to log in to the machine?

The point of the ldap_access_filter is that it's combined with the usual
user lookup filter:
(&(ldap_access_filter_value)(objectclass=posixAccount)(cn=username))

If you insist on using the ldap_access_filter, there needs to be a link
from the user to whatever group you want to restrict access as. So far I
only see a link the other way in your setup, since you're using the
RFC2307 schema with memberuid: $username attributes.


*Trying to achieve those users who have sudoers role be allowed to ssh.
 In SudoRole I have 'All' allowed for sudoCommand.

 By having the cn=allowedusers in ou=Groups, I can add users from
ou=Employees and assign the attribute: memberUid in allowedusers the list of
 users sudo rights.

But still, sounds like you should be fine restricting access to members of
allowedusers with the simple access provider..


 FYI - ldapsearch works in retrieving everything correctly as needed.



 ------ Original Message ------
 From: "Jakub Hrozek" <[email protected]>
 To: [email protected]
 Sent: 7/29/2014 10:37:46 AM
 Subject: Re: [SSSD] Trying to ssh with sssd/pam configuration

 >On Tue, Jul 29, 2014 at 01:53:17PM +0000, Sterling Sahaydak wrote:
 >> Hi Jakub,
 >>
 >> I'm not sure if simple access is what I need.
 >>
 >> I have setup in LDAP:
 >>
 >> cn=allowedusers, ou=Groups
 >> - using attribute: memberUid - and adding the users uid here.
 >
 >OK
 >
 >>
 >> ou=Employees, ou=People
>> - in Employees have users with objectClass: inetOrgPerson, posixAccount
 >
 >OK
 >
 >>
 >> ou=sudoers
 >> - here have objectClass: sudoRole and creating cn= <username from
 >>Employees>
 >> and sudoUser = <username>
 >
 >sudo has nothing to do with access control.
 >
 >>
 >> and also have a LDAP Proxy to Active Directory:
>> (*Note: for now, I'm commenting this section out and not connecting,
 >>but
 >> need to consider this to activate later)
 >> - using this setup in slapd.conf:
 >> database ldap
 >> suffix "ou=Users,ou=adgroup,dc=ad,dc=something,dc=net"
 >> uri ldap://ad1.something.net/
 >> rebind-as-user
 >> idassert-bind bindmethod=simple
>>binddn="cn=bindingacctname,ou=users,ou=adgroup,dc=ad,dc=something,dc=net"
 >> credentials="<password>"
 >> mode=none
 >> idassert-authzFrom "*"
 >> chase-referrals yes
 >> subordinate
 >>
 >> So, not sure if simple binding would be correct thing to do???
 >
 >Again, not directly connected to access control.
 >
 >When you configured sssd.conf with the access_provider, what exactly
>were you trying to achieve? What are the expectations on who should be
 >able to log in to the machine?
 >_______________________________________________
 >sssd-devel mailing list
 >[email protected]
 >https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

 _______________________________________________
 sssd-devel mailing list
 [email protected]
 https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to