I am stuck with Ubuntu 10.04 (no chance of upgrading our servers). This means I am currently running SSSD 1.0.5.
I want to limit which users can login. In later versions I believe I would use 'ldap_access_filter'
This would allow only users in the specified groups to login.
Given my limitation on the version of SSSD can anyone help me achieve the same or is it not possible?
I am a bit scared of rebuilding newer versions of SSSD.
Hope you can help Dan
Sent from my ASUS Eee Pad
On Mon, Jan 14, 2013 at 08:37:56PM +0000, Daniel Laird wrote:
I am stuck with Ubuntu 10.04 (no chance of upgrading our servers). This means I am currently running SSSD 1.0.5.
This is a very, very old version of SSSD. It hasn't been supported in ages.
I want to limit which users can login. In later versions I believe I would use 'ldap_access_filter'
Does that version have the "simple" access provider (man sssd-simple). If so, you could use that one.
This would allow only users in the specified groups to login.
Given my limitation on the version of SSSD can anyone help me achieve the same or is it not possible?
I am a bit scared of rebuilding newer versions of SSSD.
I would really urge you to upgrade. I'm CC-ing Timo Aaltonen, the Ubuntu SSSD maintainer.
Timo, do you have maybe any PPA for 10.04 with more recent SSSD versions?
Hope you can help Dan
Sent from my ASUS Eee Pad _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon 14 Jan 2013 04:28:57 PM EST, Jakub Hrozek wrote:
On Mon, Jan 14, 2013 at 08:37:56PM +0000, Daniel Laird wrote:
I am stuck with Ubuntu 10.04 (no chance of upgrading our servers). This means I am currently running SSSD 1.0.5.
This is a very, very old version of SSSD. It hasn't been supported in ages.
I want to limit which users can login. In later versions I believe I would use 'ldap_access_filter'
Does that version have the "simple" access provider (man sssd-simple). If so, you could use that one.
This would allow only users in the specified groups to login.
Given my limitation on the version of SSSD can anyone help me achieve the same or is it not possible?
I am a bit scared of rebuilding newer versions of SSSD.
I would really urge you to upgrade. I'm CC-ing Timo Aaltonen, the Ubuntu SSSD maintainer.
Timo, do you have maybe any PPA for 10.04 with more recent SSSD versions?
SSSD was approved for a standing Micro Release Exception on January 8th[1], meaning that it's now on the list of packages that Ubuntu can opt to upgrade within a stable release. My understanding is that there are plans to backport SSSD 1.8 at least to the currently-supported Ubuntu releases, though Timo will have to confirm that for me (I'm only going from hearsay).
[1] https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions
On Mon, Jan 14, 2013 at 04:41:42PM -0500, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon 14 Jan 2013 04:28:57 PM EST, Jakub Hrozek wrote:
On Mon, Jan 14, 2013 at 08:37:56PM +0000, Daniel Laird wrote:
I am stuck with Ubuntu 10.04 (no chance of upgrading our servers). This means I am currently running SSSD 1.0.5.
This is a very, very old version of SSSD. It hasn't been supported in ages.
I want to limit which users can login. In later versions I believe I would use 'ldap_access_filter'
Does that version have the "simple" access provider (man sssd-simple). If so, you could use that one.
This would allow only users in the specified groups to login.
Given my limitation on the version of SSSD can anyone help me achieve the same or is it not possible?
I am a bit scared of rebuilding newer versions of SSSD.
I would really urge you to upgrade. I'm CC-ing Timo Aaltonen, the Ubuntu SSSD maintainer.
Timo, do you have maybe any PPA for 10.04 with more recent SSSD versions?
SSSD was approved for a standing Micro Release Exception on January 8th[1], meaning that it's now on the list of packages that Ubuntu can opt to upgrade within a stable release. My understanding is that there are plans to backport SSSD 1.8 at least to the currently-supported Ubuntu releases, though Timo will have to confirm that for me (I'm only going from hearsay).
[1] https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions
Ah, thank you, I was wondering what MRE stands for when I was skimming through the Ubuntu bug reports lately :-)
On 14.01.2013 23:28, Jakub Hrozek wrote:
On Mon, Jan 14, 2013 at 08:37:56PM +0000, Daniel Laird wrote:
I am stuck with Ubuntu 10.04 (no chance of upgrading our servers). This means I am currently running SSSD 1.0.5.
This is a very, very old version of SSSD. It hasn't been supported in ages.
I want to limit which users can login. In later versions I believe I would use 'ldap_access_filter'
Does that version have the "simple" access provider (man sssd-simple). If so, you could use that one.
This would allow only users in the specified groups to login.
Given my limitation on the version of SSSD can anyone help me achieve the same or is it not possible?
I am a bit scared of rebuilding newer versions of SSSD.
I would really urge you to upgrade. I'm CC-ing Timo Aaltonen, the Ubuntu SSSD maintainer.
Timo, do you have maybe any PPA for 10.04 with more recent SSSD versions?
yep, the updates PPA has 1.5.15 for 10.04:
https://launchpad.net/~sssd/+archive/updates
Many thanks for the help,
We have updated the version of SSSD we are using to be: 1.5.15-0ubuntu6~lucid2
I’ve set up our domain (EEMEA) with: access_provider = ldap ldap_access_order = filter and an empty ldap_access_filter
The logs suggest that this will deny any domain users who try to log on: (Wed Jan 16 14:25:14 2013) [sssd[be[EEMEA]]] [sssm_ldap_access_init] (0): Warning: LDAP access rule 'filter' is set, but no ldap_access_filter configured. All domain users will be denied access. However, this doesn’t bear out in reality: (Wed Jan 16 14:25:19 2013) [sssd[be[EEMEA]]] [be_pam_handler] (4): Got request with the following data (Wed Jan 16 14:25:19 2013) [sssd[be[EEMEA]]] [pam_print_data] (4): command: PAM_AUTHENTICATE ..... (Wed Jan 16 14:25:20 2013) [sssd[be[EEMEA]]] [be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success]
We normally have the following in our config: cache_credentials = TRUE enumerate = TRUE I’ve also tried with these values set to False, with the same results.
I’ve also tried: access_provider = deny and access_provider = simple simple_allow_users = bob logging in as peter still succeeds, in both cases.
Any hints? Is this a problem with our config or this version of SSSD? Many thanks for the help Dan
________________________________ From: Timo Aaltonen tjaalton@ubuntu.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, 15 January 2013, 7:58 Subject: Re: [SSSD-users] Problem limiting access to Users in Certain AD groups.
On 14.01.2013 23:28, Jakub Hrozek wrote:
On Mon, Jan 14, 2013 at 08:37:56PM +0000, Daniel Laird wrote:
I am stuck with Ubuntu 10.04 (no chance of upgrading our servers). This means I am currently running SSSD 1.0.5.
This is a very, very old version of SSSD. It hasn't been supported in ages.
I want to limit which users can login. In later versions I believe I would use 'ldap_access_filter'
Does that version have the "simple" access provider (man sssd-simple). If so, you could use that one.
This would allow only users in the specified groups to login.
Given my limitation on the version of SSSD can anyone help me achieve the same or is it not possible?
I am a bit scared of rebuilding newer versions of SSSD.
I would really urge you to upgrade. I'm CC-ing Timo Aaltonen, the Ubuntu SSSD maintainer.
Timo, do you have maybe any PPA for 10.04 with more recent SSSD versions?
yep, the updates PPA has 1.5.15 for 10.04:
https://launchpad.net/~sssd/+archive/updates
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed 16 Jan 2013 10:44:03 AM EST, Daniel Laird wrote:
Many thanks for the help,
We have updated the version of SSSD we are using to be: 1.5.15-0ubuntu6~lucid2
I’ve set up our domain (EEMEA) with: access_provider = ldap ldap_access_order = filter and an empty ldap_access_filter
The logs suggest that this will deny any domain users who try to log on: (Wed Jan 16 14:25:14 2013) [sssd[be[EEMEA]]] [sssm_ldap_access_init] (0): Warning: LDAP access rule 'filter' is set, but no ldap_access_filter configured. All domain users will be denied access. However, this doesn’t bear out in reality: (Wed Jan 16 14:25:19 2013) [sssd[be[EEMEA]]] [be_pam_handler] (4): Got request with the following data (Wed Jan 16 14:25:19 2013) [sssd[be[EEMEA]]] [pam_print_data] (4): command: PAM_AUTHENTICATE ..... (Wed Jan 16 14:25:20 2013) [sssd[be[EEMEA]]] [be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success]
We normally have the following in our config: cache_credentials = TRUE enumerate = TRUE I’ve also tried with these values set to False, with the same results.
I’ve also tried: access_provider = deny and access_provider = simple simple_allow_users = bob logging in as peter still succeeds, in both cases.
Any hints? Is this a problem with our config or this version of SSSD? Many thanks for the help Dan
This is a problem with your config. The authentication step is expected to succeed. The denial should be happening during pam_acct_mgmt() which is later in the stack. I'm guessing your PAM stack is missing pam_sss.so in the 'account' stack.
sssd-users@lists.fedorahosted.org