I wish the control to be external to the system. It allows us to group people by dept/courses/etc and add them to systems when desired, rather than having to change SSSD periodically. So management within AD is preferable.
I did sort of figure that PAM was going to be the local user control but wasn't sure if SSSD could handle that as well. Thanks! Also, thank you Personne that looks like what I need to do. -----Original Message----- From: [email protected] <[email protected]> Sent: 10 June 2020 16:24 To: End-user discussions about the System Security Services Daemon <[email protected]>; Sangster, Mark <[email protected]> Subject: Re: [SSSD-users] Access Filters CAUTION: External email. Ensure this message is from a trusted source before clicking links/attachments. Rather than filtering off a single group, why not use the simple_allow_groups key value? This will allow mulitiple groups to access the system should the need ever arise. For the local users, that is outside sssd for the most part, look at your pam configs and nsswitch. > On June 10, 2020 at 5:42 AM "Sangster, Mark" <[email protected]> wrote: > > > Hello, > > I was attempting to utilise the AD provider for access control, however I > cannot make it work with members of nested groups. i.e. when using the > LDAP_MATCHING_RULE_IN_CHAIN. > > This functions: > > access_provider = ldap > ldap_sasl_authid = SERVER$@DOMAIN > ldap_access_filter = > (memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN) > > This doesn’t: > > access_provider = ad > ad_access_filter = > (memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN) > > Have I missed anything? > > It would also be useful if it is possible to allow local users access > alongside the remote users. e.g. allow both “domain_account” and > “local_account” access. Is that possible? > > Thanks > Mark > > ---------------------------------------------------------------------- > -- > Mark Sangster > Server Infrastructure Specialist > > Information Technology Services | University of Aberdeen > t: +44 (0)1224 27-3315 | e: mailto:[email protected] | u: > http://www.abdn.ac.uk/it/ > > > The University of Aberdeen is a charity registered in Scotland, No SC013683. > Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. > SC013683. > _______________________________________________ > sssd-users mailing list -- [email protected] To > unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > sted.org The University of Aberdeen is a charity registered in Scotland, No SC013683. Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. SC013683. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
