Hi all, I'm jumping in to using sssd-ad here at BU. I'm able to domain join a
CentOS7 and pull our AD entries successfully but am having troubles with ad_access_filter
to restrict access to a group.
Due to FERPA restrictions here, we can't query memberOf for random people via a
machine account, so things like:
ad_access_filter = (memberOf=CN=group-of-admins,OU=XYZ,DC=blah,DC=blah,DC=blah)
won't work. I see from debug level 7 that this translates into a query like:
(&(sAMAccountName=nik)(objectclass=user)(memberOf=CN=group-of-admins,OU=Groups,OU=XYZ,DC=blah,DC=blah,DC=blah))
I've verified independently with ldapsearch that if I do this under the machine
account, I don't get anything back. Note that if this query was done in the context
of the user just logging in ("nik") then it would work since I have the privs to
see my own memberOf. But, I think (I guess) that the query is being done by SSSD-AD as
the machine account.
I've also played around with doing a filter like
"(&(objectCategory=group)(CN=group-of-admins))" which does actually return a
list of "member:" entries for an ldapsearch when using the machine account
privs. However, if I plug this into ad_access_filter, it's not allowing access I
think because of the (&sAMAccountName=…) being a query of a user object whereas the
group query is a group object and the filter isn't being satisfied. From looking at
the code I think it's not designed to handle being returned an object which has a list
of "member:" entries and looking for the user in that list. SMOP I guess :)
So, misc blathering aside, does anybody have any suggestions on how I should go about
restricting access to groups in cases where machine accounts aren't allowed access to
the memberOf information for users? Is there a way to get it via a group filter, or
should/could the memberOf query be done under the context and privs of the user accessing
it? (I guess that would have implications on caching though…)
Any ideas or suggestions which direction I should go with this? Thanks in advance.
Nik Conwell
Boston University
nik@bu.edu<mailto:nik@bu.edu>