I'm trying to set up sssd with access_provider = ldap. I'm having a little trouble getting the ldap_access_filter working the way I want to.
The way I want to do it is to create a Resource Group in AD that contains the Unix Team group and then whichever users need access to the system. So we'd have, say:
cn=Server1AccessGroup,ou=Groups,…. member: cn=Unix Team,ou=Groups,… member: cn=User A,… member: cn=User B,…
Is there a way to craft the ldap_access_filter based on the above such that the members of Unix Team and then the two users will be allowed access?
As an ancillary question to this, I'd like some clarification of how ldap_access_filter works exactly. Is it simply that the user's DN who is trying to login needs to match a result of the query specified in the access filter line?
Thanks!
-- Greg Wojtak Senior Unix Systems Engineer Office: (313) 373-4306 Mobile: (734) 718-8472
What about configuring sssd to make use of the POSIX attributes in AD and define those attributes only for people you want to allow in? Sound the easiest form to me.
Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Wojtak, Greg (Superfly) Sent: Thursday, May 09, 2013 3:09 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Nested Groups in ldap_access_filter?
I'm trying to set up sssd with access_provider = ldap. I'm having a little trouble getting the ldap_access_filter working the way I want to.
The way I want to do it is to create a Resource Group in AD that contains the Unix Team group and then whichever users need access to the system. So we'd have, say:
cn=Server1AccessGroup,ou=Groups,…. member: cn=Unix Team,ou=Groups,… member: cn=User A,… member: cn=User B,…
Is there a way to craft the ldap_access_filter based on the above such that the members of Unix Team and then the two users will be allowed access?
As an ancillary question to this, I'd like some clarification of how ldap_access_filter works exactly. Is it simply that the user's DN who is trying to login needs to match a result of the query specified in the access filter line?
Thanks!
-- Greg Wojtak Senior Unix Systems Engineer Office: (313) 373-4306 Mobile: (734) 718-8472 _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Because just about everyone in our organization will have the POSIX attributes, but we don't want everyone to be able to log into every server. For example, we have bankers that will ONLY log into our origination system, the engineers and admins log in everywhere, the devs log into dev and sometimes test but not prod or staging, etc.
We're using netgroups to control this now, but that isŠ icky.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/09/2013 09:08 AM, Wojtak, Greg (Superfly) wrote:
I'm trying to set up sssd with access_provider = ldap. I'm having a little trouble getting the ldap_access_filter working the way I want to.
The way I want to do it is to create a Resource Group in AD that contains the Unix Team group and then whichever users need access to the system. So we'd have, say:
cn=Server1AccessGroup,ou=Groups,…. member: cn=Unix Team,ou=Groups,… member: cn=User A,… member: cn=User B,…
Is there a way to craft the ldap_access_filter based on the above such that the members of Unix Team and then the two users will be allowed access?
As an ancillary question to this, I'd like some clarification of how ldap_access_filter works exactly. Is it simply that the user's DN who is trying to login needs to match a result of the query specified in the access filter line?
If you're basing access control entirely off of group membership, then you would probably have better luck by doing:
access_provider = simple simple_allow_groups = Server1AccessGroup
This assumes that Server1AccessGroup and "Unix Team" are both Posix Groups (they have a GID assigned) and are visible when doing 'getent group Server1AccessGroup'.
The way the access filter works is that it's ANDed with a lookup string for the user. So it only works based on values that are present in the *user* entry. So you could create a filter for the presence of the memberOf=cn=Server1AccessGroup,ou=Groups,…
But the catch here is that AD has only one-level memberOf (it only lists the direct parent, not any nested parents). Thus with Active Directory it's probably better to use the simple_allow_groups method, since that handles the nesting properly.
Thanks for the help. Would a similar solution be to set the ldap_access_filter to (&(cn=unix team,Š)(cn=server1access,...)) with the server1access group containing the member's dn's? The reason I ask this is so that we can avoid having to assign gidnumbers to these groups?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/09/2013 09:58 AM, Wojtak, Greg (Superfly) wrote:
Thanks for the help. Would a similar solution be to set the ldap_access_filter to (&(cn=unix team,Š)(cn=server1access,...)) with the server1access group containing the member's dn's? The reason I ask this is so that we can avoid having to assign gidnumbers to these groups?
This won't work because the user will only have one or the other memberOf attribute. You *could* do:
ldap_access_filter(|(memberOf=cn=unix time...)(memberOf=cn=server1access...))
(note the OR there). But the problem with this is that you will need to update your client configuration manually any time a new group is added to the nesting. That's why I'd recommend just assigning POSIX attributes and using the simple access provider.
Also, feel free to open an RFE to request a nested-non-POSIX access provider extension for LDAP in our bug tracker at https://fedorahosted.org/sssd
You're not the first person to ask for it, but it's trickier than you might expect to get it right.
sssd-users@lists.fedorahosted.org