The following entry into an ldap.conf file on a RHEL V5 system provides for the ability to limit users based in their GID values:
nss_base_passwd OU=ldap,DC=mydomain,DC=net?one?|(gidNumber=11001) (gidNumber=11003)
Only those users with GID's of 11001 or 11003 can login. All others are prohibited.
I've tried the same filter in sssd.conf on a v6 RHEL system but can't seem to get it to work. It doesn't cause any syntax errors but it is ignored.
I've also tried placing an "=" sign after the nss_base_passwd string and quoting everything after the "=" sign....to no avail.
Can anyone explain the sssd syntax for accomplishing this task ?
Thanks in advance.
Al Licause
On Fri, Apr 12, 2013 at 12:26:15PM +0000, Licause, Al (BCS) wrote:
The following entry into an ldap.conf file on a RHEL V5 system provides for the ability to limit users based in their GID values:
nss_base_passwd OU=ldap,DC=mydomain,DC=net?one?|(gidNumber=11001) (gidNumber=11003)
Only those users with GID's of 11001 or 11003 can login. All others are prohibited.
I've tried the same filter in sssd.conf on a v6 RHEL system but can't seem to get it to work. It doesn't cause any syntax errors but it is ignored.
I've also tried placing an "=" sign after the nss_base_passwd string and quoting everything after the "=" sign....to no avail.
Can anyone explain the sssd syntax for accomplishing this task ?
Thanks in advance.
Al Licause
Hi,
have you checked the ldap_access_filter option? Maybe that's what you're looking for.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/12/2013 08:26 AM, Licause, Al (BCS) wrote:
The following entry into an ldap.conf file on a RHEL V5 system provides for the ability to limit users
based in their GID values:
nss_base_passwd OU=ldap,DC=mydomain,DC=net?one?|(gidNumber=11001) (gidNumber=11003)
Only those users with GID’s of 11001 or 11003 can login. All others are prohibited.
I’ve tried the same filter in sssd.conf on a v6 RHEL system but can’t seem to get it to work.
It doesn’t cause any syntax errors but it is ignored.
I’ve also tried placing an “=” sign after the nss_base_passwd string and quoting everything after
the “=” sign….to no avail.
Can anyone explain the sssd syntax for accomplishing this task ?
There are two ways to accomplish what you're asking, depending on what you really mean:
The way that behaved in nss_ldap was that only users whose primaryGID was wither 11001 or 11003 would be *visible* to the system. That means that any other user would not appear with 'getent passwd username' if they didn't have the right primary GID.
This can be done in sssd with the ldap_user_search_base option: ldap_user_search_base = OU=ldap,DC=mydomain,DC=net?one?(|(gidNumber=11001) (gidNumber=11003))
However, if you want all users to be viewable with 'getent passwd username' but only some users able to log in, you want to do this instead:
ldap_user_search_base = OU=ldap,DC=mydomain,DC=net?one? access_provider = ldap ldap_access_order = filter ldap_access_filter = (|(gidNumber=11001) (gidNumber=11003))
This will allow the system to "see" all users, but only permit those with that primary GID to actually log in.
We did some testing on these and while for some reason I botched the syntax for the filter, we finally got both solutions to work.
It should be noted that the component between the question marks, in this case "?one?" can take on any one of four values....base|one|sub|children.
In our case we had to use sub or remove that component from the filter to get this to work as our groups of users are actually each in their own OU's.
Thanks to all that replied.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Stephen Gallagher Sent: Friday, April 12, 2013 8:46 AM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] How to restrict users by GID
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/12/2013 08:26 AM, Licause, Al (BCS) wrote:
The following entry into an ldap.conf file on a RHEL V5 system provides for the ability to limit users
based in their GID values:
nss_base_passwd OU=ldap,DC=mydomain,DC=net?one?|(gidNumber=11001) (gidNumber=11003)
Only those users with GID’s of 11001 or 11003 can login. All others are prohibited.
I’ve tried the same filter in sssd.conf on a v6 RHEL system but can’t seem to get it to work.
It doesn’t cause any syntax errors but it is ignored.
I’ve also tried placing an “=” sign after the nss_base_passwd string and quoting everything after
the “=” sign….to no avail.
Can anyone explain the sssd syntax for accomplishing this task ?
There are two ways to accomplish what you're asking, depending on what you really mean:
The way that behaved in nss_ldap was that only users whose primaryGID was wither 11001 or 11003 would be *visible* to the system. That means that any other user would not appear with 'getent passwd username' if they didn't have the right primary GID.
This can be done in sssd with the ldap_user_search_base option: ldap_user_search_base = OU=ldap,DC=mydomain,DC=net?one?(|(gidNumber=11001) (gidNumber=11003))
However, if you want all users to be viewable with 'getent passwd username' but only some users able to log in, you want to do this instead:
ldap_user_search_base = OU=ldap,DC=mydomain,DC=net?one? access_provider = ldap ldap_access_order = filter ldap_access_filter = (|(gidNumber=11001) (gidNumber=11003))
This will allow the system to "see" all users, but only permit those with that primary GID to actually log in.
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org