I had the exact same problem a week or 2 ago, look at the documentation or my previous emails you will have the answer.
On Wed, Jun 10, 2020, 5:43 AM Sangster, Mark m.v.sangster@abdn.ac.uk wrote:
Hello,
I was attempting to utilise the AD provider for access control, however I cannot make it work with members of nested groups. i.e. when using the LDAP_MATCHING_RULE_IN_CHAIN.
This functions:
access_provider = ldap ldap_sasl_authid = SERVER$@DOMAIN ldap_access_filter = (memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN)
This doesn’t:
access_provider = ad ad_access_filter = (memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN)
Have I missed anything?
It would also be useful if it is possible to allow local users access alongside the remote users. e.g. allow both “domain_account” and “local_account” access. Is that possible?
Thanks Mark
Mark Sangster Server Infrastructure Specialist
Information Technology Services | University of Aberdeen t: +44 (0)1224 27-3315 | e: mailto:mark@abdn.ac.uk | u: http://www.abdn.ac.uk/it/
The University of Aberdeen is a charity registered in Scotland, No SC013683. Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. SC013683. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Many thanks, I will hunt for that.
Any advice on the local/remote user controls?
From: Personne cpdivers@gmail.com Sent: 10 June 2020 15:47 To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: Access Filters
CAUTION: External email. Ensure this message is from a trusted source before clicking links/attachments.
I had the exact same problem a week or 2 ago, look at the documentation or my previous emails you will have the answer.
On Wed, Jun 10, 2020, 5:43 AM Sangster, Mark <m.v.sangster@abdn.ac.ukmailto:m.v.sangster@abdn.ac.uk> wrote: Hello,
I was attempting to utilise the AD provider for access control, however I cannot make it work with members of nested groups. i.e. when using the LDAP_MATCHING_RULE_IN_CHAIN.
This functions:
access_provider = ldap ldap_sasl_authid = SERVER$@DOMAIN ldap_access_filter = (memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN)
This doesn’t:
access_provider = ad ad_access_filter = (memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN)
Have I missed anything?
It would also be useful if it is possible to allow local users access alongside the remote users. e.g. allow both “domain_account” and “local_account” access. Is that possible?
Thanks Mark
------------------------------------------------------------------------ Mark Sangster Server Infrastructure Specialist
Information Technology Services | University of Aberdeen t: +44 (0)1224 27-3315 | e: mailto:mark@abdn.ac.ukmailto:mark@abdn.ac.uk | u: http://www.abdn.ac.uk/it/
The University of Aberdeen is a charity registered in Scotland, No SC013683. Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. SC013683. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.orgmailto:sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
The University of Aberdeen is a charity registered in Scotland, No SC013683. Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. SC013683.
sssd-users@lists.fedorahosted.org