[SSSD] Re: about access control reporting with id_provider=ad

Tue, 22 Aug 2017 06:30:27 -0700 

On 08/22/2017 12:31 PM, Jakub Hrozek wrote:

On Tue, Aug 22, 2017 at 11:40:39AM +0200, Michal Židek wrote:

On 08/22/2017 11:21 AM, Michal Židek wrote:

On 08/21/2017 02:27 PM, Jakub Hrozek wrote:

Hi Michal and sssd-devel,

one of the RFEs that keeps coming up for SSSD is to provide a sort of an
'attestation report' for SSSD. Mostly the request is about printing who
can access this client machine.

I know that we fetch all the HBAC rules for a client with the IPA
provider, but Michal, you mentioned that it's problematic do to
something similar for the AD provider. Could you elaborate why? Would it
be possible to extend the AD access provider to fetch all GPOs that
match this client?



I am not sure how that attestation should look like. Could you
point me to an design page if we have some?

The way I understood it is that we want list of ALL users
in AD with label ALLOWED or DENIED. I am not sure if this
possible to do without basically enumerating all users in AD
and do the GPO evaluation for every single one of them.

If we just want to print the access control related rules
in GPO in some nice format, then it would be possible without
the enumeration.

My point is that making the ALLOW/DENY list could take a lot of time
even if we use cached GPOs. That was my main concern.

But again, maybe I misunderstood the RFE.

Michal
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org


Also there is the question if we want to include users from all
trusted domains...

I think what could be done relatively easily is to feed some tool with
SIDs/fqdns of users/groups and make the list just for them/their
members. Would that be something we want?


Where would these come from? If the GPOs that perhaps.


The SIDs or names (probably just names) would be provided by the user
of the tool. I imagine somethink like this:

$ sssctl access-check --users f...@ad.com b...@ad.com
f...@ad.com    ALLOWED
b...@ad.test   DENIED

$ sssctl access-check --groups linuxus...@ad.com linuxspec...@ad.com
linuxus...@ad.com:
  f...@ad.com    ALLOWED
  b...@ad.com    DENIED
linuxspec...@ad.com:
  sp...@ad.com  ALLOWED
  sp...@ad.com  ALLOWED
  sp...@ad.com  ALLOWED
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to