Thank you Lukas,

> >My question is : are jokers supported in the host attribute ?
>
> Answer is no.
>
> Although it shoudl not be difficult to implemennt it.
> I would suggest to look into function sdap_access_host
> in src/providers/ldap/sdap_access.c and function fnmatch
> (or libpcre wich is already used by sssd)

I think it's in function 'sdap_access_host', in the tests after
host = (char *)el->values[i].data;

I'm not a C expert but may use this :

http://www.gnu.org/software/libc/manual/html_node/POSIX-Regexp-Compilation.html
http://www.gnu.org/software/libc/manual/html_node/Matching-POSIX-Regexps.htm

But the whole testing process would need to be review to consider
the whole host (except the potential starting '!' that still would need a specific
process) as a regular expression : I suspect this not being as simple as that
(for me at least).

May be another way be to use a nis netgroup with pam_access and  to add a HBAC
mecanism that knows about jokers ?

--
Olivier






2015-05-05 16:56 GMT+02:00 Lukas Slebodnik <lslebodn@redhat.com>:
On (05/05/15 16:44), Olivier wrote:
>Hi everyone,
>
>I have been aware on this list about  "access_provider" and
>"ldap_access_order" that I ignored (thank you again) and I'm know testing
>couple of things.
>
>I try to configure SSSD for host based access control (enabeling the
>behavior of pam_check_host_attr) and the following works for me :
>
>On the client side (hostname = gaia01.sandbox.example.fr), I added this to
>my sssd.conf:
>
>access_provider = ldap
>ldap_access_order = host
>ldap_user_authorized_host = host
>
>
>I have added the objectclass hostObject to my users on the ldap side and I
>see that :
>
>- if attribute host is not set in ldap for a user, then access to
>gaia01.sandbox.example.fr is refused
>- if attribute host is set for a user to gaia01.sandbox.example.fr then
>access is granted for that user on gaia01.sandbox.example.fr
>- if attribute host is set for a user  to '*'  then access is granted for
>that user on gaia01.sandbox.example.fr
>- if attribute host is set to anything else then access to
>gaia01.sandbox.example.fr is refused
>
>-> so far so good, that's what I (almost) expected.
>
>My problem know is that I would like to grant access to certain users to
>all hosts in the sandbox space.
>
>I tryed to set attribute host  for a user  to '*.sandbox.*'  (I also tried
>'*sandbox*')  and I see that access to gaia01.sandbox.example.fr is refused
 ^^^^^^^^^^
Wildcards/regrex in such way are not supprted with ldap_user_authorized_host.

It is already written in man page.
    @see man sssd-ldap -> ldap_user_authorized_host

>My question is : are jokers supported in the host attribute ?
>
Answer is no.

Although it shoudl not be difficult to implemennt it.
I would suggest to look into function sdap_access_host
in src/providers/ldap/sdap_access.c and function fnmatch
(or libpcre wich is already used by sssd)

>And the bonus question : if not, what would you recommend to tune user
>autorisations in ldap so that they can only log to all machines that
>contain a specific label in there hostname (or why not all hosts that are
>hosted in a specific network).
>
Currently you can have more host attributes in LDAP entry(not flexible)
or better/recommended is to use HBAC(host based access control) with IPA.
Unfortunately, HBAC can be used just with IPA provider and not with ldap.

LS
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users