Hi everyone,

I have been aware on this list about "access_provider" and "ldap_access_order" that I ignored (thank you again) and I'm know testing couple of things.

I try to configure SSSD for host based access control (enabeling the behavior of

pam_check_host_attr) and the following works for me :

On the client side (hostname = gaia01.sandbox.example.fr), I added this to my sssd.conf:


access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host

I have added the objectclass hostObject to my users on the ldap side and I see that :

- if attribute host is not set in ldap for a user, then access to gaia01.sandbox.example.fr is refused
- if attribute host is set for a user to gaia01.sandbox.example.fr then access is granted for that user on gaia01.sandbox.example.fr

- if attribute host is set for a user to '*' then access is granted for that user on

gaia01.sandbox.example.fr
-

if attribute host is set to anything else then access to gaia01.sandbox.example.fr is refused

-> so far so good, that's what I (almost) expected.

My problem know is that I would like to grant access to certain users to all hosts in the sandbox space.

I tryed to set attribute host for a user to '*.sandbox.*' (I also tried '*sandbox*') and I see that access to gaia01.sandbox.example.fr is refused

My question is : are jokers supported in the host attribute ?

And the bonus question : if not, what would you recommend to tune user autorisations in ldap so that they can only log to all machines that contain a specific label in there hostname (or why not all hosts that are hosted in a specific network).

Thanks,

--

Olivier