Hi all,
I have the following lines in my file /etc/security/access.conf for the purpose of my testing.
- : bryan.harris.adm : ALL - : ALL : ALL
When I place the following into /etc/pam.d/sshd I can prevent my login. The error is "pam_access(sshd:account): access denied for user `bryan.harris.adm' from" which looks like exactly what I want to see.
account required pam_access.so
When I place the following into /etc/pam.d/sshd I can once again login just fine and access.conf seems to be ignored.
account required pam_access.so listsep=,
The motivation is that I want to only allow the AD group "Linux Admins" (without quotes) to be able to login. So eventually I want to get a line like - : @Linux Admins : ALL into my /etc/security/access.conf file.
Can anyone explain how I can make this work properly? I doubt I can convince the Windows guys to not use spaces in their group names but I could try.
Or is it better for me to just use ldap_access_filter and leave the security up to sssd? The reason I looked into access.conf was to have another security layer "just in case", but if that's redundant and unnecessary than I suppose I don't need any of this anyway. Bryan
On 06/04/2013 10:13 AM, Bryan Harris wrote:
Hi all,
I have the following lines in my file /etc/security/access.conf for the purpose of my testing.
- : bryan.harris.adm : ALL
- : ALL : ALL
When I place the following into /etc/pam.d/sshd I can prevent my login. The error is "pam_access(sshd:account): access denied for user `bryan.harris.adm' from" which looks like exactly what I want to see.
account required pam_access.so
When I place the following into /etc/pam.d/sshd I can once again login just fine and access.conf seems to be ignored.
account required pam_access.so listsep=,
The motivation is that I want to only allow the AD group "Linux Admins" (without quotes) to be able to login. So eventually I want to get a line like - : @Linux Admins : ALL into my /etc/security/access.conf file.
Can anyone explain how I can make this work properly? I doubt I can convince the Windows guys to not use spaces in their group names but I could try.
Or is it better for me to just use ldap_access_filter and leave the security up to sssd? The reason I looked into access.conf was to have another security layer "just in case", but if that's redundant and unnecessary than I suppose I don't need any of this anyway.
ldap_access_filter seems like the right approach here. I think the example in the sssd-ldap man page shows the exact line that you are looking for
access_provider = ldap ldap_access_filter = memberOf=cn=Linux Admins,ou=Groups,dc=example,dc=com
Bryan
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Tue, Jun 04, 2013 at 11:12:54AM -0400, Dmitri Pal wrote:
On 06/04/2013 10:13 AM, Bryan Harris wrote:
Hi all,
I have the following lines in my file /etc/security/access.conf for the purpose of my testing.
- : bryan.harris.adm : ALL
- : ALL : ALL
When I place the following into /etc/pam.d/sshd I can prevent my login. The error is "pam_access(sshd:account): access denied for user `bryan.harris.adm' from" which looks like exactly what I want to see.
account required pam_access.so
When I place the following into /etc/pam.d/sshd I can once again login just fine and access.conf seems to be ignored.
account required pam_access.so listsep=,
The motivation is that I want to only allow the AD group "Linux Admins" (without quotes) to be able to login. So eventually I want to get a line like - : @Linux Admins : ALL into my /etc/security/access.conf file.
Can anyone explain how I can make this work properly? I doubt I can convince the Windows guys to not use spaces in their group names but I could try.
Or is it better for me to just use ldap_access_filter and leave the security up to sssd? The reason I looked into access.conf was to have another security layer "just in case", but if that's redundant and unnecessary than I suppose I don't need any of this anyway.
ldap_access_filter seems like the right approach here. I think the example in the sssd-ldap man page shows the exact line that you are looking for
access_provider = ldap ldap_access_filter = memberOf=cn=Linux Admins,ou=Groups,dc=example,dc=com
Yes, this would work. You can also take a look at the "simple" access provider (man sssd-simple).
On Jun 04, 2013, at 10:16 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Jun 04, 2013 at 11:12:54AM -0400, Dmitri Pal wrote:
On 06/04/2013 10:13 AM, Bryan Harris wrote:
- : bryan.harris.adm : ALL
- : ALL : ALL
Well, I feel a bit silly, I used comma for list separator but I have spaces both before as well as after each of my objects in my statements (So I guess it was " Linux Admins " which is not the same as "Linux Admins"). When I removed all the spaces everything worked as expected.
access_provider = ldap ldap_access_filter = memberOf=cn=Linux Admins,ou=Groups,dc=example,dc=com
Yes, this would work. You can also take a look at the "simple" access provider (man sssd-simple).
Thanks for this direction for using sssd-simple, I'm switching our configuration to use it rather than the ldap_access_filter.
Bryan
sssd-users@lists.fedorahosted.org