Thanks. For the LDAP provider, what did you mean by matched with a
substring search? A wildcard?
--
Sean Roberts
On Thu, Jan 17, 2019 at 1:29 PM Jakub Hrozek
jhrozek@redhat.com wrote:
> On Tue, Jan 15, 2019 at 07:32:34AM -0700, Sean Roberts wrote:
> > SSSD experts - Is it possible to simplify ldap searches like the one
> below
> > to specify the group name without it's full path:
> > ```
> >
> ldap_user_search_base="DC=example,DC=internal?subtree?(|(memberOf=CN=project-users,OU=2,OU=1,DC=example,DC=internal)(memberOf=CN=project-admins,OU=2,OU=1,DC=example,DC=internal))
> > ```
> >
> > Doing so would simplify configurations and prevent issues when objects
> are
> > moved within the directory:
>
> I think it depends on the schema on the server and whether the DN can be
> matched with a substring search. It looks like at least 389ds allows
> that. In general, this is not something sssd enforces, sssd just blindly
> takes the search filter and uses it.
>
> >
> > *p.s. for access_provider, the following has worked to simplify part of
> our
> > config. Likely means less load on LDAP. I'm assuming it's safe.*
> > ````
> > id_provider=ldap
> > access_provider=simple
> > simple_allow_groups=group1, group2
>
> Yes, but the simple access provider works differently. The group
> membership is first calculated and stored in the cache and the simple
> access provider only consults the cache contents.
>
> One difference is that with the user search base, accounts outside the
> search base wouldn't even be visible on the client with NSS lookups,
> with the simple access provider they would, 'just' the access on the PAM
> level would be enforced. This may or may not be what you want (e.g. you
> might want to convert IDs that the users who can't log in own..)
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
>
On Thu, Jan 17, 2019 at 1:29 PM Jakub Hrozek
jhrozek@redhat.com wrote:
> On Tue, Jan 15, 2019 at 07:32:34AM -0700, Sean Roberts wrote:
> > SSSD experts - Is it possible to simplify ldap searches like the one
> below
> > to specify the group name without it's full path:
> > ```
> >
> ldap_user_search_base="DC=example,DC=internal?subtree?(|(memberOf=CN=project-users,OU=2,OU=1,DC=example,DC=internal)(memberOf=CN=project-admins,OU=2,OU=1,DC=example,DC=internal))
> > ```
> >
> > Doing so would simplify configurations and prevent issues when objects
> are
> > moved within the directory:
>
> I think it depends on the schema on the server and whether the DN can be
> matched with a substring search. It looks like at least 389ds allows
> that. In general, this is not something sssd enforces, sssd just blindly
> takes the search filter and uses it.
>
> >
> > *p.s. for access_provider, the following has worked to simplify part of
> our
> > config. Likely means less load on LDAP. I'm assuming it's safe.*
> > ````
> > id_provider=ldap
> > access_provider=simple
> > simple_allow_groups=group1, group2
>
> Yes, but the simple access provider works differently. The group
> membership is first calculated and stored in the cache and the simple
> access provider only consults the cache contents.
>
> One difference is that with the user search base, accounts outside the
> search base wouldn't even be visible on the client with NSS lookups,
> with the simple access provider they would, 'just' the access on the PAM
> level would be enforced. This may or may not be what you want (e.g. you
> might want to convert IDs that the users who can't log in own..)
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
>