Hello I am doing some reverse engineering in my current company : I have a server which is acting as a gateway for other services, it's like entry point exposed to the world. People are connecting to this server on port 443 via for example DBeaver. The same server can be accessed by a group of admin via ssh - ssh should be only for admins, admins are placed in the different domain while all other users are in domain.net
for clarification group, "NoOne" doesn't exist in AD what is happening : - if someone is trying to access this node via ssh, I see in the SSSD logs that, after validating user, SSSD is performing access check filter and that is ok - if someone is trying to access this node via DBeaver on port 443, SSSD never triggers access check filter after user validation and the user gets access if there is any way to exclude performing access_filter for every connection except ssh? I cannot find this configuration and apparently, this is how it works right now, while I am deploying new Gateway server with the same configuration and on the new server no matter what I do, access_filter check is always triggered config: [domain/admins.net] allow ssh config [domain/domain.net] debug_level = 9 id_provider = ldap auth_provider = ldap access_provider = ldap ldap_uri = ldaps://node.net:636 ldap_user_search_base = DC=domain,DC=NET?subtree?(|(memberOf=CN=DSP,OU=Security,OU=Groups,OU=Town,OU=PL,OU=COMP,OU=Users & Workstations,DC=domain,DC=NET)(memberOf=CN=IMD,OU=Security,OU=IMD,OU=Global,OU=Users & Workstations,DC=domain,DC=NET)) ldap_schema = ad ldap_id_mapping = True ldap_default_bind_dn = CN=USERMASTER,OU=Service Accounts,OU=Global,OU=Servers,DC=domain,DC=NET ldap_default_authtok = ################ ldap_user_name = sAMAccountName ldap_user_member_of = memberOf ldap_user_gid_number = primaryGroupID ldap_user_shell = /bin/bash override_homedir = /home/%u ldap_group_name = sAMAccountName ldap_group_search_base = DC=domain,DC=NET?subtree?(|(cn=Data*)(cn=Users)) ldap_use_tokengroups = false ldap_group_member = member ldap_group_object_class = group ldap_sudorule_object_class = person ldap_sudorule_name = sAMAccountName cache_credentials = True use_fully_qualified_names = False ldap_tls_cacert = /etc/sssd/ROOT_AD_RO.pem ldap_access_order = filter ldap_access_filter = (|(memberOf=NoOne,DC=domain,DC=NET) _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
