Hi everyone,
I have been aware on this list about "access_provider" and "ldap_access_order" that I ignored (thank you again) and I'm know testing couple of things.
I try to configure SSSD for host based access control (enabeling the behavior of pam_check_host_attr) and the following works for me :
On the client side (hostname = gaia01.sandbox.example.fr), I added this to my sssd.conf:
access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host
I have added the objectclass hostObject to my users on the ldap side and I see that :
- if attribute host is not set in ldap for a user, then access to gaia01.sandbox.example.fr is refused - if attribute host is set for a user to gaia01.sandbox.example.fr then access is granted for that user on gaia01.sandbox.example.fr - if attribute host is set for a user to '*' then access is granted for that user on gaia01.sandbox.example.fr - if attribute host is set to anything else then access to gaia01.sandbox.example.fr is refused
-> so far so good, that's what I (almost) expected.
My problem know is that I would like to grant access to certain users to all hosts in the sandbox space.
I tryed to set attribute host for a user to '*.sandbox.*' (I also tried '*sandbox*') and I see that access to gaia01.sandbox.example.fr is refused
My question is : are jokers supported in the host attribute ?
And the bonus question : if not, what would you recommend to tune user autorisations in ldap so that they can only log to all machines that contain a specific label in there hostname (or why not all hosts that are hosted in a specific network).
Thanks,
-- Olivier
On (05/05/15 16:44), Olivier wrote:
Hi everyone,
I have been aware on this list about "access_provider" and "ldap_access_order" that I ignored (thank you again) and I'm know testing couple of things.
I try to configure SSSD for host based access control (enabeling the behavior of pam_check_host_attr) and the following works for me :
On the client side (hostname = gaia01.sandbox.example.fr), I added this to my sssd.conf:
access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host
I have added the objectclass hostObject to my users on the ldap side and I see that :
- if attribute host is not set in ldap for a user, then access to
gaia01.sandbox.example.fr is refused
- if attribute host is set for a user to gaia01.sandbox.example.fr then
access is granted for that user on gaia01.sandbox.example.fr
- if attribute host is set for a user to '*' then access is granted for
that user on gaia01.sandbox.example.fr
- if attribute host is set to anything else then access to
gaia01.sandbox.example.fr is refused
-> so far so good, that's what I (almost) expected.
My problem know is that I would like to grant access to certain users to all hosts in the sandbox space.
I tryed to set attribute host for a user to '*.sandbox.*' (I also tried '*sandbox*') and I see that access to gaia01.sandbox.example.fr is refused
^^^^^^^^^^ Wildcards/regrex in such way are not supprted with ldap_user_authorized_host.
It is already written in man page. @see man sssd-ldap -> ldap_user_authorized_host
My question is : are jokers supported in the host attribute ?
Answer is no.
Although it shoudl not be difficult to implemennt it. I would suggest to look into function sdap_access_host in src/providers/ldap/sdap_access.c and function fnmatch (or libpcre wich is already used by sssd)
And the bonus question : if not, what would you recommend to tune user autorisations in ldap so that they can only log to all machines that contain a specific label in there hostname (or why not all hosts that are hosted in a specific network).
Currently you can have more host attributes in LDAP entry(not flexible) or better/recommended is to use HBAC(host based access control) with IPA. Unfortunately, HBAC can be used just with IPA provider and not with ldap.
LS
Thank you Lukas,
My question is : are jokers supported in the host attribute ?
Answer is no.
Although it shoudl not be difficult to implemennt it. I would suggest to look into function sdap_access_host in src/providers/ldap/sdap_access.c and function fnmatch (or libpcre wich is already used by sssd)
I think it's in function 'sdap_access_host', in the tests after host = (char *)el->values[i].data;
I'm not a C expert but may use this :
http://www.gnu.org/software/libc/manual/html_node/POSIX-Regexp-Compilation.h... http://www.gnu.org/software/libc/manual/html_node/Matching-POSIX-Regexps.htm
But the whole testing process would need to be review to consider the whole host (except the potential starting '!' that still would need a specific process) as a regular expression : I suspect this not being as simple as that (for me at least).
May be another way be to use a nis netgroup with pam_access and to add a HBAC mecanism that knows about jokers ?
-- Olivier
2015-05-05 16:56 GMT+02:00 Lukas Slebodnik lslebodn@redhat.com:
On (05/05/15 16:44), Olivier wrote:
Hi everyone,
I have been aware on this list about "access_provider" and "ldap_access_order" that I ignored (thank you again) and I'm know testing couple of things.
I try to configure SSSD for host based access control (enabeling the behavior of pam_check_host_attr) and the following works for me :
On the client side (hostname = gaia01.sandbox.example.fr), I added this
to
my sssd.conf:
access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host
I have added the objectclass hostObject to my users on the ldap side and I see that :
- if attribute host is not set in ldap for a user, then access to
gaia01.sandbox.example.fr is refused
- if attribute host is set for a user to gaia01.sandbox.example.fr then
access is granted for that user on gaia01.sandbox.example.fr
- if attribute host is set for a user to '*' then access is granted for
that user on gaia01.sandbox.example.fr
- if attribute host is set to anything else then access to
gaia01.sandbox.example.fr is refused
-> so far so good, that's what I (almost) expected.
My problem know is that I would like to grant access to certain users to all hosts in the sandbox space.
I tryed to set attribute host for a user to '*.sandbox.*' (I also tried '*sandbox*') and I see that access to gaia01.sandbox.example.fr is
refused ^^^^^^^^^^ Wildcards/regrex in such way are not supprted with ldap_user_authorized_host.
It is already written in man page. @see man sssd-ldap -> ldap_user_authorized_host
My question is : are jokers supported in the host attribute ?
Answer is no.
Although it shoudl not be difficult to implemennt it. I would suggest to look into function sdap_access_host in src/providers/ldap/sdap_access.c and function fnmatch (or libpcre wich is already used by sssd)
And the bonus question : if not, what would you recommend to tune user autorisations in ldap so that they can only log to all machines that contain a specific label in there hostname (or why not all hosts that are hosted in a specific network).
Currently you can have more host attributes in LDAP entry(not flexible) or better/recommended is to use HBAC(host based access control) with IPA. Unfortunately, HBAC can be used just with IPA provider and not with ldap.
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On (05/05/15 18:10), Olivier wrote:
Thank you Lukas,
My question is : are jokers supported in the host attribute ?
Answer is no.
Although it shoudl not be difficult to implemennt it. I would suggest to look into function sdap_access_host in src/providers/ldap/sdap_access.c and function fnmatch (or libpcre wich is already used by sssd)
I think it's in function 'sdap_access_host', in the tests after host = (char *)el->values[i].data;
I'm not a C expert but may use this :
I thought you volunteered to implement it. I didn't noticed it's sssd-users list.
http://www.gnu.org/software/libc/manual/html_node/POSIX-Regexp-Compilation.h... http://www.gnu.org/software/libc/manual/html_node/Matching-POSIX-Regexps.htm
I meant http://linux.die.net/man/3/fnmatch http://www.pcre.org/original/doc/html/index.html
But the whole testing process would need to be review to consider the whole host (except the potential starting '!' that still would need a specific process) as a regular expression : I suspect this not being as simple as that (for me at least).
May be another way be to use a nis netgroup with pam_access and to add a HBAC
Netgroups are not supported in ldap_user_authorized_host either. So it will not work.
Currently ldap_user_authorized_host is very simple. It does exactly what it is described in man page.
If someone want to use for different purpose then new features need to be implemented. Patches are always welcomed.
According to git the author of this feature is commit 3612c73e7957721bcbf31d0118e2ac210eb46b88 Author: Pierre Ossman pierre@ossman.eu Date: Wed Dec 22 22:29:03 2010 +0100
Add host access control support
https://fedorahosted.org/sssd/ticket/746
LS
http://linux.die.net/man/3/fnmatch
Ah yes, I see : sounds to be the right function indeed. To be honnest I'm not volunteering, but I promise will look at it.
Netgroups are not supported in ldap_user_authorized_host either. So it will not work.
if pam_access support it (I think it does) it might work adding something like this : "account required pam_access.so"
in pam.d/system-auth
But doing that, I'll also need to remove "ldap_access_order = host" in sssd.conf and outsource HBAC to pam_access.
I'll test and let you know.
Best,
-- Olivier
2015-05-05 18:22 GMT+02:00 Lukas Slebodnik lslebodn@redhat.com:
On (05/05/15 18:10), Olivier wrote:
Thank you Lukas,
My question is : are jokers supported in the host attribute ?
Answer is no.
Although it shoudl not be difficult to implemennt it. I would suggest to look into function sdap_access_host in src/providers/ldap/sdap_access.c and function fnmatch (or libpcre wich is already used by sssd)
I think it's in function 'sdap_access_host', in the tests after host = (char *)el->values[i].data;
I'm not a C expert but may use this :
I thought you volunteered to implement it. I didn't noticed it's sssd-users list.
http://www.gnu.org/software/libc/manual/html_node/POSIX-Regexp-Compilation.h...
http://www.gnu.org/software/libc/manual/html_node/Matching-POSIX-Regexps.htm
I meant http://linux.die.net/man/3/fnmatch http://www.pcre.org/original/doc/html/index.html
But the whole testing process would need to be review to consider the whole host (except the potential starting '!' that still would need a specific process) as a regular expression : I suspect this not being as simple as that (for me at least).
May be another way be to use a nis netgroup with pam_access and to add a HBAC
Netgroups are not supported in ldap_user_authorized_host either. So it will not work.
Currently ldap_user_authorized_host is very simple. It does exactly what it is described in man page.
If someone want to use for different purpose then new features need to be implemented. Patches are always welcomed.
According to git the author of this feature is commit 3612c73e7957721bcbf31d0118e2ac210eb46b88 Author: Pierre Ossman pierre@ossman.eu Date: Wed Dec 22 22:29:03 2010 +0100
Add host access control support https://fedorahosted.org/sssd/ticket/746
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Lukas and all,
here is a little report of my investigations (concluding by a simple way that I found and may meet my needs using netgroups) :
1. I see that illegal hostnames are accepted within host attribute from hostObject in ldap, but as you rightly said caracters such as '*' or '?' are not interpreted as jokers by sssd configured to provide access over this attribute (aka : ldap_access_order = host). The only exception is '*' alone that match any hostname for sssd.
2. when implementing nisNetgroup in ldap it's even better : illegal hostnames are *not* accepted by ldap in the first tuple field, so it is simple not possible to declare something like *.sanbox.* in a netgroup with the hope to use a matching rule for all hosts in your sandbox.
3. a solution :
netgroup provides a simple way (as long as you don't use nis domain names for something else :)
If I set the nisdomain to "sandbox" on my sandbox hosts, the the netgroup (,,sandbox) matches all these hosts and not the others.
with : "account required pam_access.so" in pam.d/system-auth
I can then add something like this in /etc/access.conf : +:@admin-users@@sandbox-hosts:
This rule will then allow "admin-users" to log on any host whose nisdomainname is "sandbox"
I have to think to it before deploying, not sure yet this the right thing to do, but at this stage I can tell that it works on a redhat 6.6 at least :)
Any views on that are welcomed.
Best
-- Olivier
2015-05-05 18:44 GMT+02:00 Olivier ldap@guillard.nom.fr:
http://linux.die.net/man/3/fnmatch
Ah yes, I see : sounds to be the right function indeed. To be honnest I'm not volunteering, but I promise will look at it.
Netgroups are not supported in ldap_user_authorized_host either. So it will not work.
if pam_access support it (I think it does) it might work adding something like this : "account required pam_access.so"
in pam.d/system-auth
But doing that, I'll also need to remove "ldap_access_order = host" in sssd.conf and outsource HBAC to pam_access.
I'll test and let you know.
Best,
-- Olivier
2015-05-05 18:22 GMT+02:00 Lukas Slebodnik lslebodn@redhat.com:
On (05/05/15 18:10), Olivier wrote:
Thank you Lukas,
My question is : are jokers supported in the host attribute ?
Answer is no.
Although it shoudl not be difficult to implemennt it. I would suggest to look into function sdap_access_host in src/providers/ldap/sdap_access.c and function fnmatch (or libpcre wich is already used by sssd)
I think it's in function 'sdap_access_host', in the tests after host = (char *)el->values[i].data;
I'm not a C expert but may use this :
I thought you volunteered to implement it. I didn't noticed it's sssd-users list.
http://www.gnu.org/software/libc/manual/html_node/POSIX-Regexp-Compilation.h...
http://www.gnu.org/software/libc/manual/html_node/Matching-POSIX-Regexps.htm
I meant http://linux.die.net/man/3/fnmatch http://www.pcre.org/original/doc/html/index.html
But the whole testing process would need to be review to consider the whole host (except the potential starting '!' that still would need a specific process) as a regular expression : I suspect this not being as simple as that (for me at least).
May be another way be to use a nis netgroup with pam_access and to add a HBAC
Netgroups are not supported in ldap_user_authorized_host either. So it will not work.
Currently ldap_user_authorized_host is very simple. It does exactly what it is described in man page.
If someone want to use for different purpose then new features need to be implemented. Patches are always welcomed.
According to git the author of this feature is commit 3612c73e7957721bcbf31d0118e2ac210eb46b88 Author: Pierre Ossman pierre@ossman.eu Date: Wed Dec 22 22:29:03 2010 +0100
Add host access control support https://fedorahosted.org/sssd/ticket/746
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org