On Thu, Oct 25, 2012 at 10:36:05AM +0200, Tomas Brandysky wrote:
Hello,
we're upgrading from Centos 5.8 to Centos 6.3 and have realized few
things have changed in the system.
We're using LDAP authentication (nss_ldap package) on our Centos 5.8
servers and have different PAM ldap configuration files configured to be
used for specific PAM services at the moment.
Here is the example of our setup:
/etc/pam.d/service1:
auth sufficient pam_ldap.so config=/etc/ldap_service1.conf
/etc/pam.d/service2:
auth sufficient pam_ldap.so config=/etc/ldap_service2.conf
Thus we can use specific LDAP filters for various different services as
not all users having access to one service also have access to other
services on the same server.
Now we're facing the problem to manage the same functionality with
System Security Services Daemon (SSSD) which was newly presented with
RHEL 6.
We didn't find out so far how to specify custom sssd configuration file
(or specific part of the configuration section/domain) in PAM service
configuration. According to documentation only these options can be
specified when using pam_sss module: [forward_pass] [use_first_pass]
[use_authtok].
None of them can be used to make a difference in a ldap filter to be used.
Is there a way how to configure specific search filters depending on PAM
service ?
Thank you for any suggestion
I think what you are looking for is covered in
https://fedorahosted.org/sssd/ticket/1021.
If you only want to allow/deny access for specific users to specific
service you can add an attribute to the user objects in the LDAP server
listing the allowed PAM services and use ldap_user_authorized_service.
See sssd-ldap man page for details.
If you want more fine grained access control you might want to have a
look at the FreeIPA HBAC rules.
HTH
bye,
Sumit
Regards
Tomas Brandysky
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users