On 11/24/17, 8:22 AM, "Jakub Hrozek" jhrozek@redhat.com wrote:
On Fri, Nov 24, 2017 at 10:02:15AM +0000, Conwell, Nik wrote:
The simple access provider looks at user entry itself and their groups in the sssd cache - unlike the access filter, which is applied against the entry in the LDAP server.
So yes, SSSD first resolves the groups during the initgroups operation and then runs the simple access check on the result.
Hi, sorry for the radio silence on this. I took a look at groups available and picked one appropriate for membership and using the simple_allow_groups restricts/enables access as desired. Success!
I've also discovered that even though we restrict access to memberOf, there are other fields in AD that are visible for the access filter, so I can do things like:
ad_access_filter = (|(department=IT)(manager=CN=myboss,OU=People,DC=blah,DC=blah,DC=com))
to allow access to a department or people who are in my immediate group.
Thanks very much for your help Jakub!
-nik
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org