Hi
Thanks.
Access Control works with ldap access filter, but how do we authorize without netgroups? I did not find anything like SUDOers for 389ds.
Best regards, Tibor
-----Ursprüngliche Nachricht----- Von: William Brown william.brown@suse.com Gesendet: Donnerstag, 27. Januar 2022 01:27 An: 389-users@lists.fedoraproject.org Betreff: [389-users] Re: ssh does not see my access.conf
On 25 Jan 2022, at 18:15, Dudas Tibor ABRAXAS Tibor.Dudas@abraxas.ch wrote:
Thanks, you are right: It works with the memberof-Plugin and ldap access filter.
Is there a way to make it work with netgroups? We have it set up like that in our OpenLDAP and would have to migrate everything, otherwise.
According to the documentation it should work: https://directory.fedoraproject.org/docs/389ds/howto/howto-netgroups.h tml
I've honestly not touched netgroups in a long long time. I think SSSD might have a way to emulate them? But honestly you may want to consider this as a good time to start to migrate away from them ...
But on the ldap side, there is no reason that the data in ldap will be any different between openldap and 389, it's just ldap.
Thanks for your answer, Tibor
-----Ursprüngliche Nachricht----- Von: William Brown william.brown@suse.com Gesendet: Dienstag, 25. Januar 2022 00:24 An: 389-users@lists.fedoraproject.org Betreff: [389-users] Re: ssh does not see my access.conf
On 25 Jan 2022, at 02:36, Dudas Tibor ABRAXAS Tibor.Dudas@abraxas.ch wrote:
Hi,
I can resolve my netgroup user via getent and can login with her on my 389ds client via ssh.
What does not work, yet, is to exclude all other users.
The Config is: getent netgroup sysadmin sysadmin ( ,eve,)
cat /etc/security/access.conf +:root:LOCAL +:root:ALL +:@sysadmin:ALL -:ALL:ALL EXCEPT LOCAL
Cat /etc/pam.d/system-auth … account required pam_access.so accessfile=/etc/security/access.netgroup.conf
cat =/etc/security/access.netgroup.conf +:root:LOCAL +:root:ALL +:@sysadmin:ALL -:ALL:ALL EXCEPT LOCAL
The client logs say, when I try to login with user alice from my 389ds, not belonging to my netgroup sysadmin: (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [ou=groups,dc=example,dc=com] (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=1002)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=groups, dc=example,dc=com]. (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP Request [Account #48]: Request handler finished [0]: Success (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #48]: Receiving request data. (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #48]: Finished. Success.
The client does not even look for netgroups, but lets everyone pass. What did I miss?
You probably don't want pam_access here, since netgroups are not an LDAP thing.
You can have the same effect with ldap access filter in sssd.conf, and then using pam_sss in the account line of pam.
Any help is appreciated.
Kind regards, Tibor
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedorap r oject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- Sincerely,
William Brown
Senior Software Engineer, Identity and Access Management SUSE Labs, Australia
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedorapr oject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedorapr oject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- Sincerely,
William Brown
Senior Software Engineer, Identity and Access Management SUSE Labs, Australia
_______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
sudoers has an ldap extension that allows you to read sudo rules from ldap.
Alternately, standard sudo rules and groups will work with ldap presented users and groups.
On 15 Feb 2022, at 02:16, Dudas Tibor ABRAXAS Tibor.Dudas@abraxas.ch wrote:
Hi
Thanks.
Access Control works with ldap access filter, but how do we authorize without netgroups? I did not find anything like SUDOers for 389ds.
Best regards, Tibor
-----Ursprüngliche Nachricht----- Von: William Brown william.brown@suse.com Gesendet: Donnerstag, 27. Januar 2022 01:27 An: 389-users@lists.fedoraproject.org Betreff: [389-users] Re: ssh does not see my access.conf
On 25 Jan 2022, at 18:15, Dudas Tibor ABRAXAS Tibor.Dudas@abraxas.ch wrote:
Thanks, you are right: It works with the memberof-Plugin and ldap access filter.
Is there a way to make it work with netgroups? We have it set up like that in our OpenLDAP and would have to migrate everything, otherwise.
According to the documentation it should work: https://directory.fedoraproject.org/docs/389ds/howto/howto-netgroups.h tml
I've honestly not touched netgroups in a long long time. I think SSSD might have a way to emulate them? But honestly you may want to consider this as a good time to start to migrate away from them ...
But on the ldap side, there is no reason that the data in ldap will be any different between openldap and 389, it's just ldap.
Thanks for your answer, Tibor
-----Ursprüngliche Nachricht----- Von: William Brown william.brown@suse.com Gesendet: Dienstag, 25. Januar 2022 00:24 An: 389-users@lists.fedoraproject.org Betreff: [389-users] Re: ssh does not see my access.conf
On 25 Jan 2022, at 02:36, Dudas Tibor ABRAXAS Tibor.Dudas@abraxas.ch wrote:
Hi,
I can resolve my netgroup user via getent and can login with her on my 389ds client via ssh.
What does not work, yet, is to exclude all other users.
The Config is: getent netgroup sysadmin sysadmin ( ,eve,)
cat /etc/security/access.conf +:root:LOCAL +:root:ALL +:@sysadmin:ALL -:ALL:ALL EXCEPT LOCAL
Cat /etc/pam.d/system-auth … account required pam_access.so accessfile=/etc/security/access.netgroup.conf
cat =/etc/security/access.netgroup.conf +:root:LOCAL +:root:ALL +:@sysadmin:ALL -:ALL:ALL EXCEPT LOCAL
The client logs say, when I try to login with user alice from my 389ds, not belonging to my netgroup sysadmin: (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [ou=groups,dc=example,dc=com] (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=1002)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=groups, dc=example,dc=com]. (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP Request [Account #48]: Request handler finished [0]: Success (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #48]: Receiving request data. (Mon Jan 24 17:19:31 2022) [sssd[be[LDAP]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #48]: Finished. Success.
The client does not even look for netgroups, but lets everyone pass. What did I miss?
You probably don't want pam_access here, since netgroups are not an LDAP thing.
You can have the same effect with ldap access filter in sssd.conf, and then using pam_sss in the account line of pam.
Any help is appreciated.
Kind regards, Tibor
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedorap r oject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- Sincerely,
William Brown
Senior Software Engineer, Identity and Access Management SUSE Labs, Australia
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedorapr oject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedorapr oject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- Sincerely,
William Brown
Senior Software Engineer, Identity and Access Management SUSE Labs, Australia
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- Sincerely,
William Brown
Sesion Software Engineer, Identity and Access Management SUSE Labs, Australia
389-users@lists.fedoraproject.org