On Wed, Nov 22, 2017 at 07:56:57PM +0000, Conwell, Nik wrote:
Hi all, I'm jumping in to using sssd-ad here at BU. I'm able to domain join a CentOS7 and pull our AD entries successfully but am having troubles with ad_access_filter to restrict access to a group.
Due to FERPA restrictions here, we can't query memberOf for random people via a machine account, so things like:
ad_access_filter = (memberOf=CN=group-of-admins,OU=XYZ,DC=blah,DC=blah,DC=blah)
won't work. I see from debug level 7 that this translates into a query like:
(&(sAMAccountName=nik)(objectclass=user)(memberOf=CN=group-of-admins,OU=Groups,OU=XYZ,DC=blah,DC=blah,DC=blah))
I've verified independently with ldapsearch that if I do this under the machine account, I don't get anything back. Note that if this query was done in the context of the user just logging in ("nik") then it would work since I have the privs to see my own memberOf. But, I think (I guess) that the query is being done by SSSD-AD as the machine account.
I've also played around with doing a filter like "(&(objectCategory=group)(CN=group-of-admins))" which does actually return a list of "member:" entries for an ldapsearch when using the machine account privs. However, if I plug this into ad_access_filter, it's not allowing access I think because of the (&sAMAccountName=…) being a query of a user object whereas the group query is a group object and the filter isn't being satisfied. From looking at the code I think it's not designed to handle being returned an object which has a list of "member:" entries and looking for the user in that list. SMOP I guess :)
So, misc blathering aside, does anybody have any suggestions on how I should go about restricting access to groups in cases where machine accounts aren't allowed access to the memberOf information for users? Is there a way to get it via a group filter, or should/could the memberOf query be done under the context and privs of the user accessing it? (I guess that would have implications on caching though…)
Would: access_provider = simple simple_allow_groups = group-of-admins do the trick for you?