Friday, April 29, 2016

[389-users] Re: Login restrictions

On Thu, 28 Apr 2016 13:12:56 +0000
"Kalchik, Jeffery" <JDKalchik@landolakes.com> wrote:

> Good morning.
>
> It might be enlightening to define "a lot of machines." I have ~300
> clients tied to a 3 node 389-ds cluster, with a few hundred accounts.
>
> I've built access restrictions here on the basis of hostname and
> NSRole definitions. For Linux hosts using sssd, I have a filter
> expression in ldap_user_search_base that ends up something like:
>
> ldap_user_search_base =
> ou=OU,dc=fq,dc=dn?sub?|(host=hostname)(nsrole=cn=Role1,ou=OU,dc=fq,dc=cn)...
>
> I use a similar expression in /etc/ldap.conf for earlier versions,
> using nss_base_passwd (there is a difference in syntax.) As a side
> note, I'd started a few years back with the pam_filter call, and
> discovered that I was overrunning a buffer. My Linux kickstarts
> build these expressions for me automatically, and I've got scripts
> set up to extend as necessary. Similar filters work for both AIX and
> HP-UX.
>

Can you give me some ldap.conf example to filter logins?
Because I've 5.x RedHat machines that doesn't use sssd, so I need other
ways to perform login restrictions.

>
> adduser? Unless I'm missing something completely, that's only for
> local accounts.

Yes of course. I wrote that to answer to simple_allow_users suggestion.

>
> Jeff Kalchik
> Systems Engineering
> Land O'Lakes
>
> -----Original Message-----
> From: Enrico Morelli [mailto:morelli@cerm.unifi.it]
> Sent: Thursday, April 28, 2016 4:07 AM
> To: 389-users@lists.fedoraproject.org
> Subject: [389-users] Re: Login restrictions
>
> On Wed, 27 Apr 2016 17:44:22 -0000
> "Lukas Slebodnik" <lslebodn@fedoraproject.org> wrote:
>
> > > Is it possible to restrict login only to to whom bound to a
> > > determinated group?
> > >
> > > I tried to use the following lines in sssd.conf but doesn't works:
> > >
> > > access_provider = ldap
> > > ldap_access_order = filter
> > > ldap_access_filter = (gidNumber=900)
> > I think it might be simpler to use access_provider simple @see man
> > sssd-simple
> >
> > [domain/example.com]
> > access_provider = simple
> > simple_allow_users = user1, user2
>
> Could be, but I think to loose the LDAP benefit. I've a lot of
> machines and to avoid to create/remove users on each machine I
> installed 389ds. So if I've to add/remove user to the
> simple_allow_users on each machine I can continue to use adduser. Or
> not?
>
> --
> -------------------------------------------------------------
> Enrico Morelli
> System Administrator | Programmer | Web Developer
>
> CERM - Polo Scientifico
> Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
> phone: +39 055 457 4269
> fax: +39 055 457 4927
> -------------------------------------------------------------
> --
> 389-users mailing list
> 389-users@lists.fedoraproject.org
> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
> This message may contain confidential material from Land O'Lakes,
> Inc. (or its subsidiary) for the sole use of the intended
> recipient(s) and may not be reviewed, disclosed, copied, distributed
> or used by anyone other than the intended recipient(s). If you are
> not the intended recipient, please contact the sender by reply email
> and delete all copies of this message. -- 389-users mailing list
> 389-users@lists.fedoraproject.org
> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org


--
-------------------------------------------------------------
Enrico Morelli
System Administrator | Programmer | Web Developer

CERM - Polo Scientifico
Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
phone: +39 055 457 4269
fax: +39 055 457 4927
-------------------------------------------------------------
--
389-users mailing list
389-users@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

No comments:

Post a Comment