On 07 Jul 2014, at 11:00, John Snowdon <[email protected]> wrote:
> Hi, > > I'm currently working on an sssd configuration to replace a set of legacy > authentication and authorization mechanisms on several hundred Linux systems > in our department - they're currently supported via shared /etc/passwd and > /etc/group files. > > I've got access, user and group information all working well via pam and sssd > and am now trying to find a solution to the authorisation requirements. > Previously this was managed via puppet-distributed changes to /etc/pam.d with > a list of users/groups per machine stored in the puppet nodes files. > I'd like to move to a setup where each machine (or class of machine) just > pulls the list of allowed unix groups from it's own node in OpenLDAP. > > Is there anything available in sssd.conf that would allow the ldap access > provider to pull back a list of allowed groups from ldap, rather than listing > them explicitly? Sort of a hybrid between the simple_allow_groups and > ldap_access_filter? > > e.g. What I would love to do > > access_provider = ldap > ldap_allow_groups_dn = cn=MachineA,ou=machines,dc=network,dc=com > > Where the cn=MachineA object is a groupOfNames that would look something like: > > objectClass: groupOfNames > objectClass: top > cn: MachineA > description: Posix groups whose users are allowed to access MachineA > member: root > member: localusers > member: adminusers > member: webusers > > I'd much rather have the lists of groups allowed to access a machine managed > from LDAP, rather than directly coded into sssd.conf, or alternatively, via > pam_listfile. Is there any way of enabling this in the current version of > sssd, or emulating it somehow via ldap_access_filter? > > Cheers, > John Hi John, The one-sentence answer is not easily, sorry. The thing about ldap_access_filter to keep in mind is that the filter is applied on the /user entry/ when the user logs in. Basically, the ldap_access_filter is AND-ed with a filter that involves the user entry, if there is a match, the access is allowed, otherwise the access is denied. One solution I can think about is to use the memberof overlay with OpenLDAP and then employ a filter on the client side that would include memberof=allowed_group_dn. But to be honest, I don’t have too much experience with the memberof overlay, so I’m not sure if this suggestion would work for nested groups for example. I hope the explanation on how the ldap_access_filter works is still useful. Please let us know if you have any more questions! _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
