Hi Sumit,
I've seen the gpo option in the man-pages, but I've got a problem to use it.
I'm supporting several Red-hat/Centos systems for different Teams.
We talk about more than 500 Systems for more than 10 Teams with various
access-rights.
For auditing reasons I'd like to map the system-access-rights to AD-Groups.
Then I'm able to generate audit-reports.
If it's only possible to do this with sssd via gpo, I have to create al
lot of gpo's.
I don't want to use the IDM (IPA) to keep it simple, if it's possible.
Or is this the only/prefered way?
Kind regards
Andreas
On 19.03.2020 16:49, Sumit Bose wrote:
On Thu, Mar 19, 2020 at 04:12:05PM +0100, Andreas Schoon wrote:
Hi,
I'm using the sssd (centos7) combined with microsoft ad (2016) and I'm
searching for a service-based filter-option.
My plan is to grand access to the service, based on groupmembership in ad.
Hi,
please use [email protected] next time.
Please check the ad_gpo_access_control option and the following in man
sssd-ad. sshd is is by default in ad_gpo_map_remote_interactive and you
can add the PAM service name of radius e.g. to ad_gpo_map_service.
HTH
bye,
Sumit
Is there any way to do this?
Example:
Member of ad-Group : sssh_user can connect via ssh to the server, Member
of ad-Group : rad_user can use the radius-deamon on the server
[sshd]
ad_access_filter =
FOREST:xxx.yy:(memberOf:1.2.840.113556.1.4.1941:=CN=ssh_user,OU=linux,OU=Test,DC=xxx,DC=yy)
[radiusd]
ad_access_filter =
FOREST:xxx.yy:(memberOf:1.2.840.113556.1.4.1941:=CN=rad_user,OU=linux,OU=Test,DC=xxx,DC=yy)
I can't see a solution in the manpages ...
In the Past I've combined the Groups and used the top one for the
filter, but that's not secure ...
Kind Regards
Andreas
--
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus
--
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
