Hello
I am new to sssd. I have setup a CentOS sssd (1.8.0) and
LDAP authentication. The LDAP stuff seems to work. I want to restrict logins to users of certain netgroups. Usually we do this with "compat" in /etc/nsswitch.conf and entries like "+@groupname" in /etc/passwd.
Does this mechanism work with sssd? Right now I have:
passwd: files sss shadow: files sss group: files sss
and it seems that all users from the users LDAP subtree could login, "getent passwd" shows all LDAP users.
If I change this to
passwd: compat shadow: compat group: compat passwd_compat: sss group_compat: sss
"getent passwd" only shows local users from the passwd file.
Configure sssd.conf:
ldap_netgroup_search_base = ou=Netgroup,dc=example,dc=com
Restart sssd
service sssd start
Append the following lines to the /etc/security/access.conf file. This will allow local root access, allow the sys_netgroup netgroup, and deny all others.
+:root:LOCAL +:@sys_netgroup:ALL -:ALL:ALL
Edit nsswitch.conf to look for authenticaiton info in sssd. Remember to do this for passwd, shadow, group, and netgroup passwd: sss files shadow: sss files group: sss files netgroup: sss
Regards
Arpit Tolani