On Wed, Nov 22, 2017 at 07:56:57PM +0000, Conwell, Nik wrote: > Hi all, I'm jumping in to using sssd-ad here at BU. I'm able to domain join > a CentOS7 and pull our AD entries successfully but am having troubles with > ad_access_filter to restrict access to a group. > > Due to FERPA restrictions here, we can't query memberOf for random people via > a machine account, so things like: > > ad_access_filter = > (memberOf=CN=group-of-admins,OU=XYZ,DC=blah,DC=blah,DC=blah) > > won't work. I see from debug level 7 that this translates into a query like: > > (&(sAMAccountName=nik)(objectclass=user)(memberOf=CN=group-of-admins,OU=Groups,OU=XYZ,DC=blah,DC=blah,DC=blah)) > > I've verified independently with ldapsearch that if I do this under the > machine account, I don't get anything back. Note that if this query was done > in the context of the user just logging in ("nik") then it would work since I > have the privs to see my own memberOf. But, I think (I guess) that the query > is being done by SSSD-AD as the machine account. > > I've also played around with doing a filter like > "(&(objectCategory=group)(CN=group-of-admins))" which does actually return a > list of "member:" entries for an ldapsearch when using the machine account > privs. However, if I plug this into ad_access_filter, it's not allowing > access I think because of the (&sAMAccountName=…) being a query of a user > object whereas the group query is a group object and the filter isn't being > satisfied. From looking at the code I think it's not designed to handle > being returned an object which has a list of "member:" entries and looking > for the user in that list. SMOP I guess :) > > So, misc blathering aside, does anybody have any suggestions on how I should > go about restricting access to groups in cases where machine accounts aren't > allowed access to the memberOf information for users? Is there a way to get > it via a group filter, or should/could the memberOf query be done under the > context and privs of the user accessing it? (I guess that would have > implications on caching though…)
Would: access_provider = simple simple_allow_groups = group-of-admins do the trick for you? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org