[SSSD-users] Re: ad_access_filter question

Thu, 23 Nov 2017 11:47:42 -0800 

On Wed, Nov 22, 2017 at 07:56:57PM +0000, Conwell, Nik wrote:
> Hi all, I'm jumping in to using sssd-ad here at BU.  I'm able to domain join 
> a CentOS7 and pull our AD entries successfully but am having troubles with 
> ad_access_filter to restrict access to a group.
> 
> Due to FERPA restrictions here, we can't query memberOf for random people via 
> a machine account, so things like:
> 
> ad_access_filter = 
> (memberOf=CN=group-of-admins,OU=XYZ,DC=blah,DC=blah,DC=blah)
> 
> won't work.  I see from debug level 7 that this translates into a query like:
> 
> (&(sAMAccountName=nik)(objectclass=user)(memberOf=CN=group-of-admins,OU=Groups,OU=XYZ,DC=blah,DC=blah,DC=blah))
> 
> I've verified independently with ldapsearch that if I do this under the 
> machine account, I don't get anything back.  Note that if this query was done 
> in the context of the user just logging in ("nik") then it would work since I 
> have the privs to see my own memberOf.  But, I think (I guess) that the query 
> is being done by SSSD-AD as the machine account.
> 
> I've also played around with doing a filter like 
> "(&(objectCategory=group)(CN=group-of-admins))" which does actually return a 
> list of "member:" entries for an ldapsearch when using the machine account 
> privs.  However, if I plug this into ad_access_filter, it's not allowing 
> access I think because of the (&sAMAccountName=…) being a query of a user 
> object whereas the group query is a group object and the filter isn't being 
> satisfied.  From looking at the code I think it's not designed to handle 
> being returned an object which has a list of "member:" entries and looking 
> for the user in that list.  SMOP I guess :)
> 
> So, misc blathering aside, does anybody have any suggestions on how I should 
> go about restricting access to groups in cases where machine accounts aren't 
> allowed access to the memberOf information for users?  Is there a way to get 
> it via a group filter, or should/could the memberOf query be done under the 
> context and privs of the user accessing it?  (I guess that would have 
> implications on caching though…)

Would:
    access_provider = simple
    simple_allow_groups = group-of-admins
do the trick for you?
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to