On Sat, Sep 07, 2013 at 07:16:09PM -0400, Dmitri Pal wrote:
> On 09/07/2013 02:23 PM, Doug Clow wrote:
> > Hello,
> >
> > I recently switched my sssd to 1.9 so I can try the native Active
> > Directory support. Previously I was using:
> >
> > id_provider = ldap
> > auth_provider = krb5
> > chpass_provider = krb5
> > access_provider = ldap
> >
> > And now with 1.9 I'm using:
> >
> > id_provider = ad
> > auth_provider = ad
> > chpass_provider = ad
> > access_provider = ad
> >
> > This works great except for one thing. ldap_access_filter no longer
> > does anything so everyone can log into all the machines. When I'm
> > using access_provider = ad how do I restrict which users and groups
> > have access to the machine?
>
> There is no special access provider for AD back end
This is only correct to a certain extent. Quoting from the sssd-ad man page
(and you didn't miss anything in the 1.9 docs, the following was added
quite recently):
The AD access control provider checks if the account is expired. It
has the same effect as the following configuration of the LDAP provider:
access_provider = ldap
ldap_access_order = expire
ldap_account_expire_policy = ad
However, unless the “ad” access control provider is explicitly
configured, the default access provider is “permit”.
The reason the AD access control provider is so simplistic at the moment
is that future versions might suport access control based on group
policies. I'm not aware of a firm ETA on leveraging GPOs, though.
> so you still need to
> use ldap or simple access provider as you used to do in the past.
In order to configure the equivalent of a "filter" access control, you
need to configure the LDAP access provider for the time being.
access_provider = ldap
ldap_access_order = filter, expire
ldap_account_expire_policy = ad
ldap_access_filter = memberOf=cn=admins,ou=groups,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = CLIENT_SHORTNAME$@EXAMPLE.COM
ldap_schema = ad
The reason for the setup being a little more complex is that the
ldap_access_filter option is currently only reachable from the LDAP
provider and the LDAP access provider currently depends on all the LDAP
provider options being defined. Even though the AD provider is more or
less a shorthand that expands to the above.
There is a ticket to handle this (arguably common) setup better:
https://fedorahosted.org/sssd/ticket/1977
Hope this helps.
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
