Monday, February 14, 2022

[389-users] Re: Authorization without Netgroups

sudoers has an ldap extension that allows you to read sudo rules from ldap.

Alternately, standard sudo rules and groups will work with ldap presented users and groups.



> On 15 Feb 2022, at 02:16, Dudas Tibor ABRAXAS <Tibor.Dudas@abraxas.ch> wrote:
>
> Hi
>
> Thanks.
>
> Access Control works with ldap access filter, but how do we authorize without netgroups? I did not find anything like SUDOers for 389ds.
>
> Best regards,
> Tibor
>
>
> -----Ursprüngliche Nachricht-----
> Von: William Brown <william.brown@suse.com>
> Gesendet: Donnerstag, 27. Januar 2022 01:27
> An: 389-users@lists.fedoraproject.org
> Betreff: [389-users] Re: ssh does not see my access.conf
>
>
>
>> On 25 Jan 2022, at 18:15, Dudas Tibor ABRAXAS <Tibor.Dudas@abraxas.ch> wrote:
>>
>> Thanks, you are right: It works with the memberof-Plugin and ldap access filter.
>>
>> Is there a way to make it work with netgroups? We have it set up like that in our OpenLDAP and would have to migrate everything, otherwise.
>>
>> According to the documentation it should work:
>> https://directory.fedoraproject.org/docs/389ds/howto/howto-netgroups.h
>> tml
>
> I've honestly not touched netgroups in a long long time. I think SSSD might have a way to emulate them? But honestly you may want to consider this as a good time to start to migrate away from them ...
>
> But on the ldap side, there is no reason that the data in ldap will be any different between openldap and 389, it's just ldap.
>
>
>>
>>
>> Thanks for your answer,
>> Tibor
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: William Brown <william.brown@suse.com>
>> Gesendet: Dienstag, 25. Januar 2022 00:24
>> An: 389-users@lists.fedoraproject.org
>> Betreff: [389-users] Re: ssh does not see my access.conf
>>
>>
>>
>>> On 25 Jan 2022, at 02:36, Dudas Tibor ABRAXAS <Tibor.Dudas@abraxas.ch> wrote:
>>>
>>> Hi,
>>>
>>> I can resolve my netgroup user via getent and can login with her on my 389ds client via ssh.
>>>
>>> What does not work, yet, is to exclude all other users.
>>>
>>> The Config is:
>>> getent netgroup sysadmin
>>> sysadmin ( ,eve,)
>>>
>>> cat /etc/security/access.conf
>>> +:root:LOCAL
>>> +:root:ALL
>>> +:@sysadmin:ALL
>>> -:ALL:ALL EXCEPT LOCAL
>>>
>>> Cat /etc/pam.d/system-auth
>>> …
>>> account required pam_access.so
>>> accessfile=/etc/security/access.netgroup.conf
>>>
>>> cat =/etc/security/access.netgroup.conf
>>> +:root:LOCAL
>>> +:root:ALL
>>> +:@sysadmin:ALL
>>> -:ALL:ALL EXCEPT LOCAL
>>>
>>> The client logs say, when I try to login with user alice from my 389ds, not belonging to my netgroup sysadmin:
>>> (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]]
>>> [sdap_get_groups_next_base] (0x0400): Searching for groups with base [ou=groups,dc=example,dc=com] (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=1002)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=groups, dc=example,dc=com].
>>> (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]]
>>> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.
>>> (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]]
>>> [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Jan 24
>>> 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_delete_group] (0x0400): Error:
>>> 2 (No such file or directory) (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP Request [Account #48]: Request handler finished [0]: Success (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #48]: Receiving request data.
>>> (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #48]: Finished. Success.
>>>
>>> The client does not even look for netgroups, but lets everyone pass. What did I miss?
>>
>> You probably don't want pam_access here, since netgroups are not an LDAP thing.
>>
>> You can have the same effect with ldap access filter in sssd.conf, and then using pam_sss in the account line of pam.
>>
>>>
>>> Any help is appreciated.
>>>
>>> Kind regards, Tibor
>>>
>>>
>>> _______________________________________________
>>> 389-users mailing list -- 389-users@lists.fedoraproject.org To
>>> unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedorap
>>> r oject.org Do not reply to spam on the list, report it:
>>> https://pagure.io/fedora-infrastructure
>>
>> --
>> Sincerely,
>>
>> William Brown
>>
>> Senior Software Engineer, Identity and Access Management SUSE Labs,
>> Australia
>>
>> _______________________________________________
>> 389-users mailing list -- 389-users@lists.fedoraproject.org To
>> unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedorapr
>> oject.org Do not reply to spam on the list, report it:
>> https://pagure.io/fedora-infrastructure
>> _______________________________________________
>> 389-users mailing list -- 389-users@lists.fedoraproject.org To
>> unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedorapr
>> oject.org Do not reply to spam on the list, report it:
>> https://pagure.io/fedora-infrastructure
>
> --
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, Identity and Access Management SUSE Labs, Australia
>
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Sincerely,

William Brown

Sesion Software Engineer,
Identity and Access Management
SUSE Labs, Australia

_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)