On 07/07/2014 05:00 AM, John Snowdon wrote:
Hi,
I'm currently working on an sssd configuration to replace a set of legacy
authentication and authorization mechanisms on several hundred Linux systems in
our department - they're currently supported via shared /etc/passwd and
/etc/group files.
I've got access, user and group information all working well via pam and sssd
and am now trying to find a solution to the authorisation requirements.
Previously this was managed via puppet-distributed changes to /etc/pam.d with a
list of users/groups per machine stored in the puppet nodes files.
I'd like to move to a setup where each machine (or class of machine) just pulls
the list of allowed unix groups from it's own node in OpenLDAP.
Have you considered FreeIPA instead of OpenLDAP?
It has a built in host based access control capability and SSSD
naturally supports it.
With pure LDAP you would have to use ldap access provider and specify a
filter that matches the DNs you care about. AFAIR OpenLDAP supports
2307bis that means that there should be a memberOf attribute on the user
entry (or something similar). This attribute would be a list of the DNs
the user is a member of. You can use it in the filter.
I know that 389-DS supports it for sure.
Is there anything available in sssd.conf that would allow the ldap access
provider to pull back a list of allowed groups from ldap, rather than listing
them explicitly? Sort of a hybrid between the simple_allow_groups and
ldap_access_filter?
e.g. What I would love to do
access_provider = ldap
ldap_allow_groups_dn = cn=MachineA,ou=machines,dc=network,dc=com
Where the cn=MachineA object is a groupOfNames that would look something like:
objectClass: groupOfNames
objectClass: top
cn: MachineA
description: Posix groups whose users are allowed to access MachineA
member: root
member: localusers
member: adminusers
member: webusers
I'd much rather have the lists of groups allowed to access a machine managed
from LDAP, rather than directly coded into sssd.conf, or alternatively, via
pam_listfile. Is there any way of enabling this in the current version of sssd,
or emulating it somehow via ldap_access_filter?
Cheers,
John
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
