On Thu, Oct 25, 2012 at 01:48:49PM +0200, Tomas Brandysky wrote: > On 10/25/2012 11:36 AM, Sumit Bose wrote: > > On Thu, Oct 25, 2012 at 10:36:05AM +0200, Tomas Brandysky wrote: > >> Hello, > >> > >> we're upgrading from Centos 5.8 to Centos 6.3 and have realized few > >> things have changed in the system. > >> > >> We're using LDAP authentication (nss_ldap package) on our Centos 5.8 > >> servers and have different PAM ldap configuration files configured to be > >> used for specific PAM services at the moment. > >> > >> Here is the example of our setup: > >> > >> /etc/pam.d/service1: > >> auth sufficient pam_ldap.so config=/etc/ldap_service1.conf > >> > >> /etc/pam.d/service2: > >> auth sufficient pam_ldap.so config=/etc/ldap_service2.conf > >> > >> Thus we can use specific LDAP filters for various different services as > >> not all users having access to one service also have access to other > >> services on the same server. > >> > >> Now we're facing the problem to manage the same functionality with > >> System Security Services Daemon (SSSD) which was newly presented with > >> RHEL 6. > >> > >> We didn't find out so far how to specify custom sssd configuration file > >> (or specific part of the configuration section/domain) in PAM service > >> configuration. According to documentation only these options can be > >> specified when using pam_sss module: [forward_pass] [use_first_pass] > >> [use_authtok]. > >> > >> None of them can be used to make a difference in a ldap filter to be used. > >> > >> Is there a way how to configure specific search filters depending on PAM > >> service ? > >> > >> Thank you for any suggestion > > > > I think what you are looking for is covered in > > https://fedorahosted.org/sssd/ticket/1021. > > > > yes, that's exactly what I miss in sssd. > I'm surprised such a feature isn't supported yet as the same goal could > be accomplished in RHEL4/5 releases with older methods. I see this as a > step back. Is there some real possibility to have this feature in some > later release which could come as update in RHEL 6 ?
I don't think we are tracking this feature request for RHEL6. If you need the functionality in RHEL6, feel to propose it through the support. > > > If you only want to allow/deny access for specific users to specific > > service you can add an attribute to the user objects in the LDAP server > > listing the allowed PAM services and use ldap_user_authorized_service. > > See sssd-ldap man page for details. > > I know about ldap_user_authorized_service but I need to specify a > combination of service and host access. I can't effort to grant users > access to ssh service globaly when they can access ssh only on some of > dozens servers we have. > You can also use a comma-separated list in the ldap_access_order parameter of sssd.conf and then define both service and host for a user. For a finer-grained access control, you probably want IPA's HBAC as Sumit said. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
