I want to be sure I understand this as well...
So, when you have ldap_group_search_base defined, using simple will look for any group name that is defined where the groupname would be (essentially) cn=groupname within the entire ldap_group_search_base definition? For example, if you had the following:
ldap_group_search_base = ou=Groups,ou= Test,dc=example,dc=com?subtree?ou=Groups,ou=Default,dc=example,dc=com?subtree?
the group cn was
cn=groupname,ou=Groups,ou=Default,dc=example,dc=com
then using:
access_provider = simple simple_allow_groups = groupname
would trigger the allow without needing to know the fully defined attribute? I think the answer is "yes". If so, definitely seems "simpler".
=G= ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org sssd-users-bounces@lists.fedorahosted.org on behalf of Jakub Hrozek jhrozek@redhat.com Sent: Wednesday, April 29, 2015 1:37 PM To: Sterling Sahaydak Cc: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] SSH - sssd: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
On Wed, Apr 29, 2015 at 04:35:29PM +0000, Sterling Sahaydak wrote:
Thanks Jakub.
Hmmm, not sure I understand, can you elaborate with an example using dc=ad,dc=example,dc=com?
Well, your example used: ldap_access_filter = memberof=cn=groupname,ou=groups,dc=ad,dc=example,dc=com
Which reads to me as 'only allow users who are members of groupname'.
The same could be specified as: access_provider = simple simple_allow_groups = groupname
The difference is if there was another intermediate group between the user and groupname: user -> foogr -> groupname
Then AFAIU user would only have memberof:cn=foogr in his LDAP attribute in AD, so the access filter wouldn't match. In contrast, the simple access provider is called after all the group memberships are evaluated, so it would work even with group nesting. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users