Thursday, April 28, 2016

[389-users] Re: Login restrictions

Good morning.

It might be enlightening to define "a lot of machines." I have ~300 clients tied to a 3 node 389-ds cluster, with a few hundred accounts.

I've built access restrictions here on the basis of hostname and NSRole definitions. For Linux hosts using sssd, I have a filter expression in ldap_user_search_base that ends up something like:

ldap_user_search_base = ou=OU,dc=fq,dc=dn?sub?|(host=hostname)(nsrole=cn=Role1,ou=OU,dc=fq,dc=cn)...

I use a similar expression in /etc/ldap.conf for earlier versions, using nss_base_passwd (there is a difference in syntax.) As a side note, I'd started a few years back with the pam_filter call, and discovered that I was overrunning a buffer. My Linux kickstarts build these expressions for me automatically, and I've got scripts set up to extend as necessary. Similar filters work for both AIX and HP-UX.

With the exception of HP-UX (due to the way that filtering is implemented in the LDAP-UX client,) this does have the pleasant side effect of only showing users that are authorized for a particular server, not the entire list of accounts when running 'getent passwd' or the O/S equivalent.

Obviously, you can tailor the filtering expressions to search on arbitrary attributes.

adduser? Unless I'm missing something completely, that's only for local accounts.

Jeff Kalchik
Systems Engineering
Land O'Lakes

-----Original Message-----
From: Enrico Morelli [mailto:morelli@cerm.unifi.it]
Sent: Thursday, April 28, 2016 4:07 AM
To: 389-users@lists.fedoraproject.org
Subject: [389-users] Re: Login restrictions

On Wed, 27 Apr 2016 17:44:22 -0000
"Lukas Slebodnik" <lslebodn@fedoraproject.org> wrote:

> > Is it possible to restrict login only to to whom bound to a
> > determinated group?
> >
> > I tried to use the following lines in sssd.conf but doesn't works:
> >
> > access_provider = ldap
> > ldap_access_order = filter
> > ldap_access_filter = (gidNumber=900)
> I think it might be simpler to use access_provider simple @see man
> sssd-simple
>
> [domain/example.com]
> access_provider = simple
> simple_allow_users = user1, user2

Could be, but I think to loose the LDAP benefit. I've a lot of machines and to avoid to create/remove users on each machine I installed 389ds.
So if I've to add/remove user to the simple_allow_users on each machine I can continue to use adduser. Or not?

--
-------------------------------------------------------------
Enrico Morelli
System Administrator | Programmer | Web Developer

CERM - Polo Scientifico
Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
phone: +39 055 457 4269
fax: +39 055 457 4927
-------------------------------------------------------------
--
389-users mailing list
389-users@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
This message may contain confidential material from Land O'Lakes, Inc. (or its subsidiary) for the sole use of the intended recipient(s) and may not be reviewed, disclosed, copied, distributed or used by anyone other than the intended recipient(s). If you are not the intended recipient, please contact the sender by reply email and delete all copies of this message.
--
389-users mailing list
389-users@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)