Dmitri Pal wrote: > On 07/10/2014 04:04 PM, Michael Ströder wrote: >> Dmitri Pal wrote: >>> Have you considered FreeIPA instead of OpenLDAP? >>> It has a built in host based access control capability and SSSD naturally >>> supports it. >> What exactly is this "host based access control capability"? >> >>> With pure LDAP you would have to use ldap access provider and specify a >>> filter >>> that matches the DNs you care about. AFAIR OpenLDAP supports 2307bis that >>> means that there should be a memberOf attribute on the user entry (or >>> something similar). This attribute would be a list of the DNs the user is a >>> member of. You can use it in the filter. >>> I know that 389-DS supports it for sure. >> I've developed a schema and a bunch of set-based OpenLDAP ACLs which >> authorize >> server groups to only see user accounts and groups and sudoers entries linked >> to the server group. Every LDAP client has to really authenticate to the LDAP >> server though. With this mech the authorization is implemented by whether a >> user entry is visible or not on a host. > > HBAC is very similar to this but already done for you. > http://www.freeipa.org/docs/master/html-desktop/index.html#configuring-host-access
Does it also disallow LDAP read access to users/groups/sudoers which are not allowed to login or to be used on a host? >> BTW: I'd really love to see SASL/EXTERNAL being supported with TLS client >> certs. Should be fairly simple since using a TLS client cert is already >> implemented. > > Are you talking about this? > https://fedorahosted.org/sssd/ticket/561 Yes. > If you use SSSD with IPA it will use SASL GSSAPI for connection to the server. Sorry, the systems are already in production and I don't want to use Kerberos or IPA (although I shortly looked at FreeIPA before). But most of the systems have puppet with puppet client cert and therefore it would be nice to use SASL/EXTERNAL. > But we would love this functionality to be implemented too. > Are you interested in contributing this functionality to the project? The main obstacle is that I'm not a C programmer. And also we're using sssd LTS release 1.9.6. Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
