Hi all, I'm jumping in to using sssd-ad here at BU. I'm able to domain join a
CentOS7 and pull our AD entries successfully but am having troubles with
ad_access_filter to restrict access to a group.
Due to FERPA restrictions here, we can't query memberOf for random people via a
machine account, so things like:
ad_access_filter = (memberOf=CN=group-of-admins,OU=XYZ,DC=blah,DC=blah,DC=blah)
won't work. I see from debug level 7 that this translates into a query like:
(&(sAMAccountName=nik)(objectclass=user)(memberOf=CN=group-of-admins,OU=Groups,OU=XYZ,DC=blah,DC=blah,DC=blah))
I've verified independently with ldapsearch that if I do this under the machine
account, I don't get anything back. Note that if this query was done in the
context of the user just logging in ("nik") then it would work since I have the
privs to see my own memberOf. But, I think (I guess) that the query is being
done by SSSD-AD as the machine account.
I've also played around with doing a filter like
"(&(objectCategory=group)(CN=group-of-admins))" which does actually return a
list of "member:" entries for an ldapsearch when using the machine account
privs. However, if I plug this into ad_access_filter, it's not allowing access
I think because of the (&sAMAccountName=…) being a query of a user object
whereas the group query is a group object and the filter isn't being satisfied.
From looking at the code I think it's not designed to handle being returned an
object which has a list of "member:" entries and looking for the user in that
list. SMOP I guess :)
So, misc blathering aside, does anybody have any suggestions on how I should go
about restricting access to groups in cases where machine accounts aren't
allowed access to the memberOf information for users? Is there a way to get it
via a group filter, or should/could the memberOf query be done under the
context and privs of the user accessing it? (I guess that would have
implications on caching though…)
Any ideas or suggestions which direction I should go with this? Thanks in
advance.
Nik Conwell
Boston University
[email protected]<mailto:[email protected]>
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
