On 06/04/2013 10:13 AM, Bryan Harris wrote:
Hi all,
I have the following lines in my file /etc/security/access.conf for
the purpose of my testing.
- : bryan.harris.adm : ALL
- : ALL : ALL
When I place the following into /etc/pam.d/sshd I can prevent my
login. The error is "pam_access(sshd:account): access denied for user
`bryan.harris.adm' from" which looks like exactly what I want to see.
account required pam_access.so
When I place the following into /etc/pam.d/sshd I can once again login
just fine and access.conf seems to be ignored.
account required pam_access.so listsep=,
The motivation is that I want to only allow the AD group "Linux
Admins" (without quotes) to be able to login. So eventually I want to
get a line like - : @Linux Admins : ALL into my
/etc/security/access.conf file.
Can anyone explain how I can make this work properly? I doubt I can
convince the Windows guys to not use spaces in their group names but I
could try.
Or is it better for me to just use ldap_access_filter and leave the
security up to sssd? The reason I looked into access.conf was to have
another security layer "just in case", but if that's redundant and
unnecessary than I suppose I don't need any of this anyway.
ldap_access_filter seems like the right approach here. I think the
example in the sssd-ldap man page shows the exact line that you are
looking for
access_provider = ldap
ldap_access_filter = memberOf=cn=Linux Admins,ou=Groups,dc=example,dc=com
Bryan
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/