Hi, I'm currently working on an sssd configuration to replace a set of legacy authentication and authorization mechanisms on several hundred Linux systems in our department - they're currently supported via shared /etc/passwd and /etc/group files.
I've got access, user and group information all working well via pam and sssd and am now trying to find a solution to the authorisation requirements. Previously this was managed via puppet-distributed changes to /etc/pam.d with a list of users/groups per machine stored in the puppet nodes files. I'd like to move to a setup where each machine (or class of machine) just pulls the list of allowed unix groups from it's own node in OpenLDAP. Is there anything available in sssd.conf that would allow the ldap access provider to pull back a list of allowed groups from ldap, rather than listing them explicitly? Sort of a hybrid between the simple_allow_groups and ldap_access_filter? e.g. What I would love to do access_provider = ldap ldap_allow_groups_dn = cn=MachineA,ou=machines,dc=network,dc=com Where the cn=MachineA object is a groupOfNames that would look something like: objectClass: groupOfNames objectClass: top cn: MachineA description: Posix groups whose users are allowed to access MachineA member: root member: localusers member: adminusers member: webusers I'd much rather have the lists of groups allowed to access a machine managed from LDAP, rather than directly coded into sssd.conf, or alternatively, via pam_listfile. Is there any way of enabling this in the current version of sssd, or emulating it somehow via ldap_access_filter? Cheers, John _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
