On (05/05/15 16:44), Olivier wrote:
Hi everyone,
I have been aware on this list about "access_provider" and
"ldap_access_order" that I ignored (thank you again) and I'm know testing
couple of things.
I try to configure SSSD for host based access control (enabeling the
behavior of pam_check_host_attr) and the following works for me :
On the client side (hostname = gaia01.sandbox.example.fr), I added this to
my sssd.conf:
access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host
I have added the objectclass hostObject to my users on the ldap side and I
see that :
- if attribute host is not set in ldap for a user, then access to
gaia01.sandbox.example.fr is refused
- if attribute host is set for a user to gaia01.sandbox.example.fr then
access is granted for that user on gaia01.sandbox.example.fr
- if attribute host is set for a user to '*' then access is granted for
that user on gaia01.sandbox.example.fr
- if attribute host is set to anything else then access to
gaia01.sandbox.example.fr is refused
-> so far so good, that's what I (almost) expected.
My problem know is that I would like to grant access to certain users to
all hosts in the sandbox space.
I tryed to set attribute host for a user to '*.sandbox.*' (I also tried
'*sandbox*') and I see that access to gaia01.sandbox.example.fr is refused
^^^^^^^^^^
Wildcards/regrex in such way are not supprted with ldap_user_authorized_host.
It is already written in man page.
@see man sssd-ldap -> ldap_user_authorized_host
My question is : are jokers supported in the host attribute ?
Answer is no.
Although it shoudl not be difficult to implemennt it.
I would suggest to look into function sdap_access_host
in src/providers/ldap/sdap_access.c and function fnmatch
(or libpcre wich is already used by sssd)
And the bonus question : if not, what would you recommend to tune
user
autorisations in ldap so that they can only log to all machines that
contain a specific label in there hostname (or why not all hosts that are
hosted in a specific network).
Currently you can have more host attributes in LDAP entry(not flexible)
or better/recommended is to use HBAC(host based access control) with IPA.
Unfortunately, HBAC can be used just with IPA provider and not with ldap.
LS