-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Stephen,
That worked just great, thank you!
Best regards,
George Vasiliu
Security Admin
Hostopia, a Deluxe Company
E-Mail: gvasiliu(a)hostopia.com
Tel: 416-883-6785, Cell: 647-924-7257
Key ID: 0x2D0D7895
Key Server:
keys.gnupg.net
On 05/13/2014 04:21 PM, Stephen Gallagher wrote:
On 05/13/2014 03:56 PM, George Vasiliu wrote:
> Hi,
> We're migrating from pam_ldap to sssd and so far everything works
> as expected: ldapsearch, getent passwd <user>, getent group
> <group>, tested offline caching, great product!
> From a security perspective, nslcd ( CentOS 6) is not able to get
> any users that are not part of certain allowed groups by having
> "filter passwd LDAP_FILTER" in /etc/nslcd.conf. Is there any
> similar functionality I could use with SSSD to prevent exposing
> whole ldap tree? Do filter_groups or/and filter_users work with
> ldap filters?
Take a look at the sssd-ldap(5) manpage[1] and search on
'ldap_search_base'. It has an optional component that allows you to
specify a filter limiting the lookups.
In your specific case, you're probably looking for:
ldap_user_search_base =
ou=users,o=Example,dc=example,dc=com?subtree?(|(description=CN=prod,OU=groups,O=Example,DC=example,DC=com)(description=CN=sec,OU=groups,O=Example,DC=example,DC=com))
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iF4EAREIAAYFAlNyg5sACgkQeQrbMxAIdW2EwwD9GY3NIRrVhQ8NuINDvL7PdRll
JZgRT6aaFSypXg8oUlYBAIE3DhsV4k5ogsckeVq9IUoq/KxdOwwnD9Vs8XNPZKOT
=RqZt
-----END PGP SIGNATURE-----