On 10/25/2012 11:36 AM, Sumit Bose wrote: > On Thu, Oct 25, 2012 at 10:36:05AM +0200, Tomas Brandysky wrote: >> Hello, >> >> we're upgrading from Centos 5.8 to Centos 6.3 and have realized few >> things have changed in the system. >> >> We're using LDAP authentication (nss_ldap package) on our Centos 5.8 >> servers and have different PAM ldap configuration files configured to be >> used for specific PAM services at the moment. >> >> Here is the example of our setup: >> >> /etc/pam.d/service1: >> auth sufficient pam_ldap.so config=/etc/ldap_service1.conf >> >> /etc/pam.d/service2: >> auth sufficient pam_ldap.so config=/etc/ldap_service2.conf >> >> Thus we can use specific LDAP filters for various different services as >> not all users having access to one service also have access to other >> services on the same server. >> >> Now we're facing the problem to manage the same functionality with >> System Security Services Daemon (SSSD) which was newly presented with >> RHEL 6. >> >> We didn't find out so far how to specify custom sssd configuration file >> (or specific part of the configuration section/domain) in PAM service >> configuration. According to documentation only these options can be >> specified when using pam_sss module: [forward_pass] [use_first_pass] >> [use_authtok]. >> >> None of them can be used to make a difference in a ldap filter to be used. >> >> Is there a way how to configure specific search filters depending on PAM >> service ? >> >> Thank you for any suggestion > > I think what you are looking for is covered in > https://fedorahosted.org/sssd/ticket/1021. >
yes, that's exactly what I miss in sssd. I'm surprised such a feature isn't supported yet as the same goal could be accomplished in RHEL4/5 releases with older methods. I see this as a step back. Is there some real possibility to have this feature in some later release which could come as update in RHEL 6 ? > If you only want to allow/deny access for specific users to specific > service you can add an attribute to the user objects in the LDAP server > listing the allowed PAM services and use ldap_user_authorized_service. > See sssd-ldap man page for details. I know about ldap_user_authorized_service but I need to specify a combination of service and host access. I can't effort to grant users access to ssh service globaly when they can access ssh only on some of dozens servers we have. > > If you want more fine grained access control you might want to have a > look at the FreeIPA HBAC rules. ok, I've not heard about this. Will check it out. Thank you Tomas > > HTH > > bye, > Sumit > >> >> Regards >> >> Tomas Brandysky >> _______________________________________________ >> sssd-users mailing list >> sssd-users@lists.fedorahosted.org >> https://lists.fedorahosted.org/mailman/listinfo/sssd-users > _______________________________________________ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
