10:10 a.m.
Hi Lukas and all,
here is a little report of my investigations (concluding by a simple way
that I found and may meet my needs using netgroups) :
1. I see that illegal hostnames are accepted within host attribute from
hostObject in ldap, but as you rightly said caracters such as '*' or '?'
are not interpreted as jokers by sssd configured to provide access over
this attribute (aka : ldap_access_order = host). The only exception is '*'
alone that match any hostname for sssd.
2. when implementing nisNetgroup in ldap it's even better : illegal
hostnames are *not* accepted by ldap in the first tuple field, so it is
simple not possible to declare something like *.sanbox.* in a netgroup with
the hope to use a matching rule for all hosts in your sandbox.
3. a solution :
netgroup provides a simple way (as long as you don't use nis domain names
for something else :)
If I set the nisdomain to "sandbox" on my sandbox hosts, the the netgroup
(,,sandbox) matches all these hosts
and not the others.
with : "account required pam_access.so" in pam.d/system-auth
I can then add something like this in /etc/access.conf :
+:@admin-users@@sandbox-hosts:
This rule will then allow "admin-users" to log on any host whose
nisdomainname is "sandbox"
I have to think to it before deploying, not sure yet this the right thing
to do, but at this stage I can
tell that it works on a redhat 6.6 at least :)
Any views on that are welcomed.
Best
--
Olivier
2015-05-05 18:44 GMT+02:00 Olivier <ldap(a)guillard.nom.fr>:
http://linux.die.net/man/3/fnmatch
Ah yes, I see : sounds to be the right function indeed. To be honnest
I'm not volunteering, but I promise will look at it.
> Netgroups are not supported in ldap_user_authorized_host either.
> So it will not work.
if pam_access support it (I think it does) it might work adding something
like this : "account required pam_access.so"
in pam.d/system-auth
But doing that, I'll also need to remove "ldap_access_order = host" in
sssd.conf and outsource HBAC to pam_access.
I'll test and let you know.
Best,
--
Olivier
2015-05-05 18:22 GMT+02:00 Lukas Slebodnik <lslebodn(a)redhat.com>:
> On (05/05/15 18:10), Olivier wrote:
> >Thank you Lukas,
> >
> >> >My question is : are jokers supported in the host attribute ?
> >>
> >> Answer is no.
> >>
> >> Although it shoudl not be difficult to implemennt it.
> >> I would suggest to look into function sdap_access_host
> >> in src/providers/ldap/sdap_access.c and function fnmatch
> >> (or libpcre wich is already used by sssd)
> >
> >I think it's in function 'sdap_access_host', in the tests after
> >host = (char *)el->values[i].data;
> >
> >I'm not a C expert but may use this :
> I thought you volunteered to implement it.
> I didn't noticed it's sssd-users list.
>
>
> >
> http://www.gnu.org/software/libc/manual/html_node/POSIX-Regexp-Compilatio...
> >
> http://www.gnu.org/software/libc/manual/html_node/Matching-POSIX-Regexps.htm
> >
>
> I meant
> http://linux.die.net/man/3/fnmatch
> http://www.pcre.org/original/doc/html/index.html
>
> >But the whole testing process would need to be review to consider
> >the whole host (except the potential starting '!' that still would need
a
> >specific
> >process) as a regular expression : I suspect this not being as simple as
> >that
> >(for me at least).
> >
> >May be another way be to use a nis netgroup with pam_access and to add a
> >HBAC
> Netgroups are not supported in ldap_user_authorized_host either.
> So it will not work.
>
> Currently ldap_user_authorized_host is very simple.
> It does exactly what it is described in man page.
>
> If someone want to use for different purpose then new features need to be
> implemented. Patches are always welcomed.
>
> According to git the author of this feature is
> commit 3612c73e7957721bcbf31d0118e2ac210eb46b88
> Author: Pierre Ossman <pierre(a)ossman.eu>
> Date: Wed Dec 22 22:29:03 2010 +0100
>
> Add host access control support
>
> https://fedorahosted.org/sssd/ticket/746
>
>
> LS
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>