On 11/24/17, 8:22 AM, "Jakub Hrozek" <jhrozek(a)redhat.com> wrote:
On Fri, Nov 24, 2017 at 10:02:15AM +0000, Conwell, Nik wrote:
The simple access provider looks at user entry itself and their groups in
the sssd cache - unlike the access filter, which is applied against the
entry in the LDAP server.
So yes, SSSD first resolves the groups during the initgroups operation
and then runs the simple access check on the result.
Hi, sorry for the radio silence on this. I took a look at groups available and picked one
appropriate for membership and using the simple_allow_groups restricts/enables access as
desired. Success!
I've also discovered that even though we restrict access to memberOf, there are other
fields in AD that are visible for the access filter, so I can do things like:
ad_access_filter =
(|(department=IT)(manager=CN=myboss,OU=People,DC=blah,DC=blah,DC=com))
to allow access to a department or people who are in my immediate group.
Thanks very much for your help Jakub!
-nik
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org