On 11/24/17, 8:22 AM, "Jakub Hrozek" <jhro...@redhat.com> wrote:
> On Fri, Nov 24, 2017 at 10:02:15AM +0000, Conwell, Nik wrote:
>
> The simple access provider looks at user entry itself and their groups in
> the sssd cache - unlike the access filter, which is applied against the
> entry in the LDAP server.
>
> So yes, SSSD first resolves the groups during the initgroups operation
> and then runs the simple access check on the result.
Hi, sorry for the radio silence on this. I took a look at groups available and
picked one appropriate for membership and using the simple_allow_groups
restricts/enables access as desired. Success!
I've also discovered that even though we restrict access to memberOf, there are
other fields in AD that are visible for the access filter, so I can do things
like:
ad_access_filter =
(|(department=IT)(manager=CN=myboss,OU=People,DC=blah,DC=blah,DC=com))
to allow access to a department or people who are in my immediate group.
Thanks very much for your help Jakub!
-nik
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
