Hi Lukas and all,
here is a little report of my investigations (concluding by a simple way that I found and may meet my needs using netgroups) :
1. I see that illegal hostnames are accepted within host attribute from hostObject in ldap, but as you rightly said caracters such as '*' or '?' are not interpreted as jokers by sssd configured to provide access over this attribute (aka : ldap_access_order = host). The only exception is '*' alone that match any hostname for sssd.
2. when implementing nisNetgroup in ldap it's even better : illegal hostnames are *not* accepted by ldap in the first tuple field, so it is simple not possible to declare something like *.sanbox.* in a netgroup with the hope to use a matching rule for all hosts in your sandbox.
3. a solution :
netgroup provides a simple way (as long as you don't use nis domain names for something else :)
If I set the nisdomain to "sandbox" on my sandbox hosts, the the netgroup (,,sandbox) matches all these hosts
and not the others.
with : "account required pam_access.so" in pam.d/system-auth
I can then add something like this in /etc/access.conf :
+:@admin-users@@sandbox-hosts:
This rule will then allow "admin-users" to log on any host whose nisdomainname is "sandbox"
I have to think to it before deploying, not sure yet this the right thing to do, but at this stage I can
tell that it works on a redhat 6.6 at least :)
Any views on that are welcomed.
Best
--
Olivier