I think this is the best course of action..
btw does the user come from DOMAIN1 or DOMAIN2?
and do you need the local domain? It's really code that mostly has
meaning for testing or experiments, I've never seen anyone using it in
production..
Thank you
root@server yum.repos.d # rpm -qa | egrep sssd
sssd-common-pac-1.13.4-4.el6.x86_64
sssd-ldap-1.13.4-4.el6.x86_64
sssd-tools-1.13.4-4.el6.x86_64
sssd-client-1.13.4-4.el6.x86_64
sssd-ad-1.13.4-4.el6.x86_64
python-sssdconfig-1.13.4-4.el6.noarch
sssd-common-1.13.4-4.el6.x86_64
sssd-ipa-1.13.4-4.el6.x86_64
sssd-proxy-1.13.4-4.el6.x86_64
sssd-krb5-common-1.13.4-4.el6.x86_64
sssd-krb5-1.13.4-4.el6.x86_64
sssd-1.13.4-4.el6.x86_64
root@server sssd # vim /etc/sssd/sssd.conf # set debug = 9
root@server sssd # sudo -U abc -l*
**User abc is not allowed to run sudo on **server**.*
root@server sssd # egrep sudo /etc/nsswitch.conf
sudoers: sss
root@server sssd # ip a s dev eth0 | egrep global
inet 216.X.Y.Z/26 brd 216.X.Y.Z scope global eth0
root@server sssd # id abc
uid=100001044(abc) gid=1009(...)
groups=1202(...),1168(...),1191(...),1102(...),1009(...),1101(...),1127(...),1167(...),1111(...),1178(...),1109(...),1199(...),1208(stage),1117(...),1198(...),1192(...),1206(...),1176(...),1404(...),1183(...),1103(...),1110(...),1205
root@abc sssd # sudo -U abc -l
Matching Defaults entries for abc on this host:
[...]
*User **abc**may run the following commands on this host:**
** (ALL) PASSWD: ALL*
# LDAP Sudo def
dn: cn=stage,ou=sudoers,o=Domain,dc=domain,dc=com
sudoOrder: 42
[...]
sudoUser: %stage
sudoRunAs: ALL
cn: stage
description: Allow Trusted Senior stuff become root
sudoCommand: ALL
sudoHost: 216.X.Y.Z
[...]
objectClass: top
objectClass: sudoRole
sudoOption: authenticate
# Group def
dn: cn=stage,ou=groups,o=Domain,dc=domain,dc=com
gidNumber: 1208
cn: stage
description: stage Group
objectClass: posixGroup
objectClass: top
memberUid: abc
hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com
Sanitized sssd.conf:
[sssd]
config_file_version = 2
sbus_timeout = 30
services = nss, pam, sudo, ssh
domains = LOCAL, DOMAIN1, DOMAIN2
[nss]
filter_users =
adm,apache,avahi,bin,daemon,dbus,ecryptfs,ftp,git,games,gopher,haldaemon,halt,hfallback,ldap,lp,mail,mailnull,named,news,nfsnobody,nobody,nscd,nslcd,ntp,operator,oprofile,ossec,postfix,puppet,puppet-dashboard,pulse,pulse-access,radiusd,root,rpc,rpcuser,rtkit,saslauth,sfallback,shutdown,slocate,smmsp,sshd,sync,tcpdump,tss,uucp,vcsa
filter_groups =
adm,apache,audio,bin,cdrom,cgred,daemon,dbus,dialout,dip,disk,ecryptfs,floppy,fuse,git,hfallback,kmem,ldap,lock,lp,mail,mailnull,man,mem,nfsnobody,nobody,nscd,ntp,ossec,oprofile,postdrop,postfix,puppet,puppet-dashboard,pulse,pulse-access,root,rpc,rpcuser,rtkit,saslauth,sfallback,slocate,smmsp,sshd,sys,tape,tcpdump,tss,tty,users,utempter,utmp,vcsa,video
override_shell = /bin/bash
[pam]
debug_level = 3
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
pam_verbosity = 1
pam_pwd_expiration_warning = 21
pam_account_expired_message = Account expired, please use selfservice portal
to change your password and extend account.
[sudo]
debug_level=9
[ssh]
# debug_level=9
[domain/LOCAL]
description = LOCAL Users domain
id_provider = local
enumerate = true
min_id = 500
max_id = 999
default_shell = /bin/bash
base_directory = /home
create_homedir = false
remove_homedir = true
homedir_umask = 077
skel_dir = /etc/skel
mail_dir = /var/spool/mail
######### SECTION: DOMAIN1
[domain/DOMAIN1]
min_id = 499
debug_level = 9
cache_credentials = True
entry_cache_timeout = 864000
auth_provider = ldap
id_provider = ldap
access_provider = ldap
#chpass_provider = ldap
sudo_provider = ldap
selinux_provider = none
autofs_provider = none
# LDAP Search
ldap_search_base = dc=domain,dc=com
ldap_group_search_base = ou=groups,o=Domain,dc=domain,dc=com
ldap_user_search_base =
ou=users,o=Domain,dc=domain,dc=com?subtree?(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)(.....)(.....))
# LDAP Custom Schema
ldap_group_member = hMemberDN
ldap_user_member_of = description
# this should really be rfc2307
ldap_schema = rfc2307bis
ldap_network_timeout = 3
ldap_id_use_start_tls = False
ldap_tls_reqcert = never
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_uri =
ldaps://s1.sec.domain.com,
ldaps://s2.sec.domain.com,
ldaps://s3.sec.domain.com
ldap_backup_uri = ldaps://66.X.Y.Z
ldap_default_authtok_type = obfuscated_password
ldap_default_bind_dn = uid=MYDN
ldap_default_authtok = MYPASS
ldap_user_ssh_public_key = sshPublicKey
ldap_pwd_policy = none
ldap_account_expire_policy = shadow
ldap_user_shadow_expire = shadowExpire
# shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo
$(($(date --utc --date "$1" +%s)/86400))
ldap_chpass_update_last_change = false
ldap_access_order = filter, expire
ldap_access_filter =
(&(objectClass=posixAccount)(uidNumber=*)(hAccountInitialSetup=1)(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)))
# SUDO
ldap_sudo_search_base = ou=sudoers,o=Domain,dc=domain,dc=com
ldap_sudo_full_refresh_interval = 86400
ldap_sudo_smart_refresh_interval = 3600
#entry_cache_sudo_timeout = 5400
The same options for DOMAIN2 except filters and user/group base.
hMemberDN is defined in nis.schema, a relic of OpenLDAP 2.2, a workaround
applied before transitioning to 2.4.40.
# Modification to posixGroup
attributetype ( 1.3.6.1.1.1.1.28 NAME 'hMemberDN'
DESC 'RFC2256: member of a group'
SUP distinguishedName )
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup'
DESC 'Abstraction of a group of accounts'
SUP top STRUCTURAL
MUST ( cn $ gidNumber )
MAY ( userPassword $ memberUid $ hMemberDN $ description ) )
hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org