Rather than filtering off a single group, why not use the simple_allow_groups key value? This will allow mulitiple groups to access the system should the need ever arise. For the local users, that is outside sssd for the most part, look at your pam configs and nsswitch.
On June 10, 2020 at 5:42 AM "Sangster, Mark" m.v.sangster@abdn.ac.uk wrote:
Hello,
I was attempting to utilise the AD provider for access control, however I cannot make it work with members of nested groups. i.e. when using the LDAP_MATCHING_RULE_IN_CHAIN.
This functions:
access_provider = ldap ldap_sasl_authid = SERVER$@DOMAIN ldap_access_filter = (memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN)
This doesn’t:
access_provider = ad ad_access_filter = (memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN)
Have I missed anything?
It would also be useful if it is possible to allow local users access alongside the remote users. e.g. allow both “domain_account” and “local_account” access. Is that possible?
Thanks Mark
Mark Sangster Server Infrastructure Specialist
Information Technology Services | University of Aberdeen t: +44 (0)1224 27-3315 | e: mailto:mark@abdn.ac.uk | u: http://www.abdn.ac.uk/it/
The University of Aberdeen is a charity registered in Scotland, No SC013683. Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. SC013683. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org