What you are trying to do, looks like RBAC. You have 2 main options to deal with your need
1) Allow server access using the sssd.conf file and using ad_access_filter, using this option, you can use an AD group called: allowed_to_access_this server Then in AD you just have to make your users member of this group. If they are not member they will be prompted for their credentials, but refused access 2) it is a mixed of sshd_config and sudoers, where you can also use AD group as long as they have GID of course user Allow_Groups in sshd_config, if you do not everyone will have access use sudoers to limit their permissions Good luck On Thu, Jun 11, 2020 at 8:27 AM Sangster, Mark <[email protected]> wrote: > I wish the control to be external to the system. It allows us to group > people by dept/courses/etc and add them to systems when desired, rather > than having to change SSSD periodically. So management within AD is > preferable. > > I did sort of figure that PAM was going to be the local user control but > wasn't sure if SSSD could handle that as well. Thanks! > > Also, thank you Personne that looks like what I need to do. > > -----Original Message----- > From: [email protected] <[email protected]> > Sent: 10 June 2020 16:24 > To: End-user discussions about the System Security Services Daemon < > [email protected]>; Sangster, Mark < > [email protected]> > Subject: Re: [SSSD-users] Access Filters > > CAUTION: External email. Ensure this message is from a trusted source > before clicking links/attachments. > > > Rather than filtering off a single group, why not use the > simple_allow_groups key value? This will allow mulitiple groups to access > the system should the need ever arise. > For the local users, that is outside sssd for the most part, look at your > pam configs and nsswitch. > > > > > > On June 10, 2020 at 5:42 AM "Sangster, Mark" <[email protected]> > wrote: > > > > > > Hello, > > > > I was attempting to utilise the AD provider for access control, however > I cannot make it work with members of nested groups. i.e. when using the > LDAP_MATCHING_RULE_IN_CHAIN. > > > > This functions: > > > > access_provider = ldap > > ldap_sasl_authid = SERVER$@DOMAIN > > ldap_access_filter = > > (memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN) > > > > This doesn’t: > > > > access_provider = ad > > ad_access_filter = > > (memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN) > > > > Have I missed anything? > > > > It would also be useful if it is possible to allow local users access > alongside the remote users. e.g. allow both “domain_account” and > “local_account” access. Is that possible? > > > > Thanks > > Mark > > > > ---------------------------------------------------------------------- > > -- > > Mark Sangster > > Server Infrastructure Specialist > > > > Information Technology Services | University of Aberdeen > > t: +44 (0)1224 27-3315 | e: mailto:[email protected] | u: > > http://www.abdn.ac.uk/it/ > > > > > > The University of Aberdeen is a charity registered in Scotland, No > SC013683. > > Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. > SC013683. > > _______________________________________________ > > sssd-users mailing list -- [email protected] To > > unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > sted.org > > > The University of Aberdeen is a charity registered in Scotland, No > SC013683. > Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. > SC013683. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
