Hi there,
I am new to sssd. I have setup a CentOS sssd (1.8.0) and LDAP authentication. The LDAP stuff seems to work. I want to restrict logins to users of certain netgroups. Usually we do this with "compat" in /etc/nsswitch.conf and entries like "+@groupname" in /etc/passwd.
Does this mechanism work with sssd? Right now I have:
passwd: files sss shadow: files sss group: files sss
and it seems that all users from the users LDAP subtree could login, "getent passwd" shows all LDAP users.
If I change this to
passwd: compat shadow: compat group: compat passwd_compat: sss group_compat: sss
"getent passwd" only shows local users from the passwd file.
Thanks for any help, Olaf
Hello
I am new to sssd. I have setup a CentOS sssd (1.8.0) and
LDAP authentication. The LDAP stuff seems to work. I want to restrict logins to users of certain netgroups. Usually we do this with "compat" in /etc/nsswitch.conf and entries like "+@groupname" in /etc/passwd.
Does this mechanism work with sssd? Right now I have:
passwd: files sss shadow: files sss group: files sss
and it seems that all users from the users LDAP subtree could login, "getent passwd" shows all LDAP users.
If I change this to
passwd: compat shadow: compat group: compat passwd_compat: sss group_compat: sss
"getent passwd" only shows local users from the passwd file.
Configure sssd.conf:
ldap_netgroup_search_base = ou=Netgroup,dc=example,dc=com
Restart sssd
service sssd start
Append the following lines to the /etc/security/access.conf file. This will allow local root access, allow the sys_netgroup netgroup, and deny all others.
+:root:LOCAL +:@sys_netgroup:ALL -:ALL:ALL
Edit nsswitch.conf to look for authenticaiton info in sssd. Remember to do this for passwd, shadow, group, and netgroup passwd: sss files shadow: sss files group: sss files netgroup: sss
Regards
Arpit Tolani
Hi,
Arpit Tolani wrote:
|ldap_netgroup_search_base = ou=Netgroup,dc=example,dc=com|
and
nsswitch.conf
netgroup: sss
did the trick for me, thanx a lot.
Append the following lines to the /etc/security/access.conf file. This will allow local root access, allow the sys_netgroup netgroup, and deny all others.
| +:root:LOCAL +:@sys_netgroup:ALL -:ALL:ALL
The pam_access stuff was already in place.
It's working now. Good thing...
Cheers, Olaf
On Thu, Jul 26, 2012 at 03:21:31PM +0200, Olaf Gellert wrote:
Hi,
Arpit Tolani wrote:
|ldap_netgroup_search_base = ou=Netgroup,dc=example,dc=com|
and
nsswitch.conf
netgroup: sss
did the trick for me, thanx a lot.
For the record, this changes the SSSD configuration so that the netgroups are actually fetched using the SSSD.
On Wed, 2012-07-25 at 18:43 +0530, Arpit Tolani wrote:
Edit nsswitch.conf to look for authenticaiton info in sssd. Remember to do this for passwd, shadow, group, and netgroup
passwd: sss files shadow: sss files group: sss files netgroup: sss
It is strongly recommended that you NEVER put 'sss' before 'files'. In the unlikely event that something goes seriously wrong with SSSD (such as entering an infinite loop), you will not be able to look up local users (including root!).
We always recommend the 'files sss' ordering.
Hi Stephen,
Stephen Gallagher wrote:
On Wed, 2012-07-25 at 18:43 +0530, Arpit Tolani wrote:
Edit nsswitch.conf to look for authenticaiton info in sssd. Remember to do this for passwd, shadow, group, and netgroup
passwd: sss files shadow: sss files group: sss files netgroup: sss
It is strongly recommended that you NEVER put 'sss' before 'files'. In the unlikely event that something goes seriously wrong with SSSD (such as entering an infinite loop), you will not be able to look up local users (including root!).
We always recommend the 'files sss' ordering.
Thanks for the hint. The setting above was for testing, in production we do have the correct order. :-)
Olaf
sssd-users@lists.fedorahosted.org
-
Arpit Tolani -
Jakub Hrozek -
Olaf Gellert -
Stephen Gallagher