On Thu, Jun 11, 2020 at 07:29:12AM +0000, Sangster, Mark wrote: > I wish the control to be external to the system. It allows us to group people > by dept/courses/etc and add them to systems when desired, rather than having > to change SSSD periodically. So management within AD is preferable.
Hi, you might want to have a look at GPO based access control as well, see descriptions of the ad_gpo_* options in man sssd_ad for details. bye, Sumit > > I did sort of figure that PAM was going to be the local user control but > wasn't sure if SSSD could handle that as well. Thanks! > > Also, thank you Personne that looks like what I need to do. > > -----Original Message----- > From: [email protected] <[email protected]> > Sent: 10 June 2020 16:24 > To: End-user discussions about the System Security Services Daemon > <[email protected]>; Sangster, Mark <[email protected]> > Subject: Re: [SSSD-users] Access Filters > > CAUTION: External email. Ensure this message is from a trusted source before > clicking links/attachments. > > > Rather than filtering off a single group, why not use the simple_allow_groups > key value? This will allow mulitiple groups to access the system should the > need ever arise. > For the local users, that is outside sssd for the most part, look at your pam > configs and nsswitch. > > > > > > On June 10, 2020 at 5:42 AM "Sangster, Mark" <[email protected]> > > wrote: > > > > > > Hello, > > > > I was attempting to utilise the AD provider for access control, however I > > cannot make it work with members of nested groups. i.e. when using the > > LDAP_MATCHING_RULE_IN_CHAIN. > > > > This functions: > > > > access_provider = ldap > > ldap_sasl_authid = SERVER$@DOMAIN > > ldap_access_filter = > > (memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN) > > > > This doesn’t: > > > > access_provider = ad > > ad_access_filter = > > (memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN) > > > > Have I missed anything? > > > > It would also be useful if it is possible to allow local users access > > alongside the remote users. e.g. allow both “domain_account” and > > “local_account” access. Is that possible? > > > > Thanks > > Mark > > > > ---------------------------------------------------------------------- > > -- > > Mark Sangster > > Server Infrastructure Specialist > > > > Information Technology Services | University of Aberdeen > > t: +44 (0)1224 27-3315 | e: mailto:[email protected] | u: > > http://www.abdn.ac.uk/it/ > > > > > > The University of Aberdeen is a charity registered in Scotland, No SC013683. > > Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. > > SC013683. > > _______________________________________________ > > sssd-users mailing list -- [email protected] To > > unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > sted.org > > > The University of Aberdeen is a charity registered in Scotland, No SC013683. > Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. > SC013683. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
