^^^^^^^^^^On (05/05/15 16:44), Olivier wrote:
>Hi everyone,
>
>I have been aware on this list about "access_provider" and
>"ldap_access_order" that I ignored (thank you again) and I'm know testing
>couple of things.
>
>I try to configure SSSD for host based access control (enabeling the
>behavior of pam_check_host_attr) and the following works for me :
>
>On the client side (hostname = gaia01.sandbox.example.fr), I added this to
>my sssd.conf:
>
>access_provider = ldap
>ldap_access_order = host
>ldap_user_authorized_host = host
>
>
>I have added the objectclass hostObject to my users on the ldap side and I
>see that :
>
>- if attribute host is not set in ldap for a user, then access to
>gaia01.sandbox.example.fr is refused
>- if attribute host is set for a user to gaia01.sandbox.example.fr then
>access is granted for that user on gaia01.sandbox.example.fr
>- if attribute host is set for a user to '*' then access is granted for
>that user on gaia01.sandbox.example.fr
>- if attribute host is set to anything else then access to
>gaia01.sandbox.example.fr is refused
>
>-> so far so good, that's what I (almost) expected.
>
>My problem know is that I would like to grant access to certain users to
>all hosts in the sandbox space.
>
>I tryed to set attribute host for a user to '*.sandbox.*' (I also tried
>'*sandbox*') and I see that access to gaia01.sandbox.example.fr is refused
Wildcards/regrex in such way are not supprted with ldap_user_authorized_host.
It is already written in man page.
@see man sssd-ldap -> ldap_user_authorized_host
>My question is : are jokers supported in the host attribute ?
>
Answer is no.
Although it shoudl not be difficult to implemennt it.
I would suggest to look into function sdap_access_host
in src/providers/ldap/sdap_access.c and function fnmatch
(or libpcre wich is already used by sssd)
>And the bonus question : if not, what would you recommend to tune user
>autorisations in ldap so that they can only log to all machines that
>contain a specific label in there hostname (or why not all hosts that are
>hosted in a specific network).
>
Currently you can have more host attributes in LDAP entry(not flexible)
or better/recommended is to use HBAC(host based access control) with IPA.
Unfortunately, HBAC can be used just with IPA provider and not with ldap.
LS
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users