On Wed, Jul 30, 2014 at 02:44:03PM +0000, Sterling Sahaydak wrote: > Thanks again Jakub for replying. > > Looking into the documentation I see: (I know you know this by heart) > > http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/chap-SSSD_User_Guide-Setting_Up_SSSD.html > > *As you mentioned for the 'Simple Access Provider' - I would need to provide > a list of 'simple_allow_users = ' and manually update this frequently, which > is what I'm trying to avoid.
I was proposing simple_allow_groups, not simple_allow_users :-) > > So, looking into: > > 8.2.3.2.3.2. The LDAP Access Provider - > > The second access control solution uses the LDAP server itself as the access > provider (access_provider=ldap) and the associated filter option > (ldap_access_filter) to specify which users are granted access to the > specified host. Note that these two options are codependent; if you use LDAP > as your access provider then you must specify a value for the > ldap_access_filter option, otherwise all users will be denied access... > > This is what I have: > > [domain/LDAP] > access_provider = ldap > auth_provider = ldap > chpass_provider = ldap > id_provider = ldap > sudo_provider = ldap > debug_level = 7 > cache_credentials = true > enumerate = false > > ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=something,dc=net This would work if your users have the memberof attribute. Do they? > ldap_search_base = dc=something,dc=net > ldap_sudo_search_base = ou=sudoers,dc=something,dc=net > > > I have commented out: > #ldap_user_search_base = ou=Employees,dc=something,dc=net > #ldap_group_search_base = ou=Groups,dc=something,dc=net > > Do I need to add these 2 lines back in? (* you mention below: > ldap_access_filter is that it's combined with the usual user lookup filter) > > Or change? > > ldap_access_filter = > (&(ldap_access_filter_value)(objectclass=posixAccount)(cn=username)) > > > Thanks!!! > > ------ Original Message ------ > From: "Jakub Hrozek" <[email protected]> > To: [email protected] > Sent: 7/30/2014 5:05:37 AM > Subject: Re: [SSSD] Trying to ssh with sssd/pam configuration > > >On Tue, Jul 29, 2014 at 02:48:06PM +0000, Sterling Sahaydak wrote: > >> When you configured sssd.conf with the access_provider, what exactly > >> were you trying to achieve? What are the expectations on who should be > >> able to log in to the machine? > > > >The point of the ldap_access_filter is that it's combined with the usual > >user lookup filter: > >(&(ldap_access_filter_value)(objectclass=posixAccount)(cn=username)) > > > >If you insist on using the ldap_access_filter, there needs to be a link > >from the user to whatever group you want to restrict access as. So far I > >only see a link the other way in your setup, since you're using the > >RFC2307 schema with memberuid: $username attributes. > > > >> > >> *Trying to achieve those users who have sudoers role be allowed to ssh. > >> In SudoRole I have 'All' allowed for sudoCommand. > >> > >> By having the cn=allowedusers in ou=Groups, I can add users from > >> ou=Employees and assign the attribute: memberUid in allowedusers the > >>list of > >> users sudo rights. > > > >But still, sounds like you should be fine restricting access to members of > >allowedusers with the simple access provider.. > > > >> > >> FYI - ldapsearch works in retrieving everything correctly as needed. > >> > >> > >> > >> ------ Original Message ------ > >> From: "Jakub Hrozek" <[email protected]> > >> To: [email protected] > >> Sent: 7/29/2014 10:37:46 AM > >> Subject: Re: [SSSD] Trying to ssh with sssd/pam configuration > >> > >> >On Tue, Jul 29, 2014 at 01:53:17PM +0000, Sterling Sahaydak wrote: > >> >> Hi Jakub, > >> >> > >> >> I'm not sure if simple access is what I need. > >> >> > >> >> I have setup in LDAP: > >> >> > >> >> cn=allowedusers, ou=Groups > >> >> - using attribute: memberUid - and adding the users uid here. > >> > > >> >OK > >> > > >> >> > >> >> ou=Employees, ou=People > >> >> - in Employees have users with objectClass: inetOrgPerson, > >>posixAccount > >> > > >> >OK > >> > > >> >> > >> >> ou=sudoers > >> >> - here have objectClass: sudoRole and creating cn= <username from > >> >>Employees> > >> >> and sudoUser = <username> > >> > > >> >sudo has nothing to do with access control. > >> > > >> >> > >> >> and also have a LDAP Proxy to Active Directory: > >> >> (*Note: for now, I'm commenting this section out and not connecting, > >> >>but > >> >> need to consider this to activate later) > >> >> - using this setup in slapd.conf: > >> >> database ldap > >> >> suffix "ou=Users,ou=adgroup,dc=ad,dc=something,dc=net" > >> >> uri ldap://ad1.something.net/ > >> >> rebind-as-user > >> >> idassert-bind bindmethod=simple > >>>>binddn="cn=bindingacctname,ou=users,ou=adgroup,dc=ad,dc=something,dc=net" > >> >> credentials="<password>" > >> >> mode=none > >> >> idassert-authzFrom "*" > >> >> chase-referrals yes > >> >> subordinate > >> >> > >> >> So, not sure if simple binding would be correct thing to do??? > >> > > >> >Again, not directly connected to access control. > >> > > >> >When you configured sssd.conf with the access_provider, what exactly > >> >were you trying to achieve? What are the expectations on who should be > >> >able to log in to the machine? > >> >_______________________________________________ > >> >sssd-devel mailing list > >> >[email protected] > >> >https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > >> > >> _______________________________________________ > >> sssd-devel mailing list > >> [email protected] > >> https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > >_______________________________________________ > >sssd-devel mailing list > >[email protected] > >https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > > _______________________________________________ > sssd-devel mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
