Hey All,
Given this example below which spans the entire line:
ad_access_filter = (|(memberOf=CN=group-of -admins,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -managers,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -minions,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -analysts,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -limited,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -viewers,OU=XYZ,DC=blah,DC=blah,DC=blah))
Has anyone tried to use a backslash to split the line like this?
ad_access_filter = (| \ (memberOf=CN=group-of-admins,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-managers,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-minions,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-analysts,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-limited,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-viewers,OU=XYZ,DC=blah,DC=blah,DC=blah))
Or would the backslashes get interpreted when SSSD reads the file?
FYI tested this and though it doesn’t work for ad_access_filter it does for the ldap_access_filter . Any reason why one works but not the other?
Cheers, Tom
Sent from my iPhone
On Sep 26, 2018, at 12:11 AM, TomK tomkcpr@mdevsys.com wrote:
Hey All,
Given this example below which spans the entire line:
ad_access_filter = (|(memberOf=CN=group-of -admins,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -managers,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -minions,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -analysts,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -limited,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -viewers,OU=XYZ,DC=blah,DC=blah,DC=blah))
Has anyone tried to use a backslash to split the line like this?
ad_access_filter = (| \ (memberOf=CN=group-of-admins,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-managers,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-minions,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-analysts,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-limited,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-viewers,OU=XYZ,DC=blah,DC=blah,DC=blah))
Or would the backslashes get interpreted when SSSD reads the file?
-- Cheers, Tom K. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On 09/27/2018 10:55 PM, Tom wrote:
FYI tested this and though it doesn’t work for ad_access_filter it does for the ldap_access_filter . Any reason why one works but not the other?
Hi,
I would like to see logs in this case in order to undrestand where the issue may be.
If the sssd does not even start and logs show that the option could not be parsed then it could be an issue in libini.
If it fails later then maybe we handle the multiline option badly in SSSD.
Also I am not sure what 'doesn't work' in this context means. Is the filter not effective or is SSSD failing to start/do some operation?
Thanks, Michal
Cheers, Tom
Sent from my iPhone
On Sep 26, 2018, at 12:11 AM, TomK tomkcpr@mdevsys.com wrote:
Hey All,
Given this example below which spans the entire line:
ad_access_filter = (|(memberOf=CN=group-of -admins,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -managers,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -minions,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -analysts,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -limited,OU=XYZ,DC=blah,DC=blah,DC=blah)(memberOf=CN=group-of -viewers,OU=XYZ,DC=blah,DC=blah,DC=blah))
Has anyone tried to use a backslash to split the line like this?
ad_access_filter = (| \ (memberOf=CN=group-of-admins,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-managers,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-minions,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-analysts,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-limited,OU=XYZ,DC=blah,DC=blah,DC=blah) \ (memberOf=CN=group-of-viewers,OU=XYZ,DC=blah,DC=blah,DC=blah))
Or would the backslashes get interpreted when SSSD reads the file?
-- Cheers, Tom K. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Fri, Oct 05, 2018 at 12:25:08PM +0200, Michal Židek wrote:
On 09/27/2018 10:55 PM, Tom wrote:
FYI tested this and though it doesn’t work for ad_access_filter it does for the ldap_access_filter . Any reason why one works but not the other?
Hi,
I would like to see logs in this case in order to undrestand where the issue may be.
If the sssd does not even start and logs show that the option could not be parsed then it could be an issue in libini.
If it fails later then maybe we handle the multiline option badly in SSSD.
Also I am not sure what 'doesn't work' in this context means. Is the filter not effective or is SSSD failing to start/do some operation?
To put a little more context, the only difference between the ldap_access_filter and ad_access_filter should be that the former use whatever ldap authentiation you configure (bind DN, SASL GSSAPI, ...) and the latter re-uses the GSSAPI authenticated connection that the ID provider uses.
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Michal Židek -
Tom -
TomK