Hi Lukas and all,

here is a little report of my investigations (concluding by a simple way that I found and may meet my needs using netgroups) :

1. I see that illegal hostnames are accepted within host attribute from hostObject in ldap, but as you rightly said caracters such as '*' or '?' are not interpreted as jokers by sssd configured to provide access over this attribute (aka : ldap_access_order = host). The only exception is '*' alone that match any hostname for sssd.

2. when implementing nisNetgroup in ldap it's even better : illegal hostnames are *not* accepted by ldap in the first tuple field, so it is simple not possible to declare something like *.sanbox.* in a netgroup with the hope to use a matching rule for all hosts in your sandbox.

3. a solution :

netgroup provides a simple way (as long as you don't use nis domain names for something else :)

If I set the nisdomain to "sandbox" on my sandbox hosts, the the netgroup (,,sandbox) matches all these hosts

and not the others.

with : "account required pam_access.so" in pam.d/system-auth

I can then add something like this in /etc/access.conf :
+:@admin-users@@sandbox-hosts:

This rule will then allow "admin-users" to log on any host whose nisdomainname is "sandbox"

I have to think to it before deploying, not sure yet this the right thing to do, but at this stage I can
tell that it works on a redhat 6.6 at least :)

Any views on that are welcomed.

Best

--

Olivier

2015-05-05 18:44 GMT+02:00 Olivier <ldap@guillard.nom.fr>:

http://linux.die.net/man/3/fnmatch

Ah yes, I see : sounds to be the right function indeed. To be honnest
I'm not volunteering, but I promise will look at it.

> Netgroups are not supported in ldap_user_authorized_host either.
> So it will not work.

if pam_access support it (I think it does) it might work adding something
like this : "account required pam_access.so"

in pam.d/system-auth

But doing that, I'll also need to remove "ldap_access_order = host" in
sssd.conf and outsource HBAC to pam_access.

I'll test and let you know.

Best,

--
Olivier

2015-05-05 18:22 GMT+02:00 Lukas Slebodnik <lslebodn@redhat.com>:
On (05/05/15 18:10), Olivier wrote:
>Thank you Lukas,
>
>> >My question is : are jokers supported in the host attribute ?
>>
>> Answer is no.
>>
>> Although it shoudl not be difficult to implemennt it.
>> I would suggest to look into function sdap_access_host
>> in src/providers/ldap/sdap_access.c and function fnmatch
>> (or libpcre wich is already used by sssd)
>
>I think it's in function 'sdap_access_host', in the tests after
>host = (char *)el->values[i].data;
>
>I'm not a C expert but may use this :
I thought you volunteered to implement it.
I didn't noticed it's sssd-users list.

>http://www.gnu.org/software/libc/manual/html_node/POSIX-Regexp-Compilation.html
>http://www.gnu.org/software/libc/manual/html_node/Matching-POSIX-Regexps.htm
>

I meant
http://linux.die.net/man/3/fnmatch
http://www.pcre.org/original/doc/html/index.html

>But the whole testing process would need to be review to consider
>the whole host (except the potential starting '!' that still would need a
>specific
>process) as a regular expression : I suspect this not being as simple as
>that
>(for me at least).
>
>May be another way be to use a nis netgroup with pam_access and to add a
>HBAC
Netgroups are not supported in ldap_user_authorized_host either.
So it will not work.

Currently ldap_user_authorized_host is very simple.
It does exactly what it is described in man page.

If someone want to use for different purpose then new features need to be
implemented. Patches are always welcomed.

According to git the author of this feature is
commit 3612c73e7957721bcbf31d0118e2ac210eb46b88
Author: Pierre Ossman <pierre@ossman.eu>
Date: Wed Dec 22 22:29:03 2010 +0100

Add host access control support

https://fedorahosted.org/sssd/ticket/746

LS
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users