On Thu, Oct 25, 2012 at 10:36:05AM +0200, Tomas Brandysky wrote: > Hello, > > we're upgrading from Centos 5.8 to Centos 6.3 and have realized few > things have changed in the system. > > We're using LDAP authentication (nss_ldap package) on our Centos 5.8 > servers and have different PAM ldap configuration files configured to be > used for specific PAM services at the moment. > > Here is the example of our setup: > > /etc/pam.d/service1: > auth sufficient pam_ldap.so config=/etc/ldap_service1.conf > > /etc/pam.d/service2: > auth sufficient pam_ldap.so config=/etc/ldap_service2.conf > > Thus we can use specific LDAP filters for various different services as > not all users having access to one service also have access to other > services on the same server. > > Now we're facing the problem to manage the same functionality with > System Security Services Daemon (SSSD) which was newly presented with > RHEL 6. > > We didn't find out so far how to specify custom sssd configuration file > (or specific part of the configuration section/domain) in PAM service > configuration. According to documentation only these options can be > specified when using pam_sss module: [forward_pass] [use_first_pass] > [use_authtok]. > > None of them can be used to make a difference in a ldap filter to be used. > > Is there a way how to configure specific search filters depending on PAM > service ? > > Thank you for any suggestion
I think what you are looking for is covered in https://fedorahosted.org/sssd/ticket/1021. If you only want to allow/deny access for specific users to specific service you can add an attribute to the user objects in the LDAP server listing the allowed PAM services and use ldap_user_authorized_service. See sssd-ldap man page for details. If you want more fine grained access control you might want to have a look at the FreeIPA HBAC rules. HTH bye, Sumit > > Regards > > Tomas Brandysky > _______________________________________________ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
