On Fri, Oct 25, 2013 at 03:10:34PM +0100, Michael Gliwinski wrote:
Hi all,
Hi Michael, sorry for the late reply, most of the team was busy
prepairing the 1.11.2 release.
I was just looking at various access control methods and reading
through
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryAccessControl and
various older threads on this list, and I got the impression that pam_access
isn't recommended. Is that true?
Not strictly, but by using a different access mechanism that one in SSSD
you lose one advantage, see below.
In cases where you want to restrict access by group membership, what are the
advantages of using SSSD's /access_provider = simple/ or /access_provider =
ldap/ over pam_access?
AFAICS, pam_access may actually make more sense as it works OK with local and
domain groups, nested groups, can be used with different access restrictions
for different services, and can be combined with SSSD's /access_provider =
ldap/ + /ldap_access_order = expire/ to also handle expired/disabled accounts.
Am I missing anything?
Thanks,
Michael
I would say the simple access provider is what it's called, it's simple
:-)
One other advantage I see is that the PAM and NSS parts of SSSD are
tied together, so when the PAM responder is invoked, it calls the
initgroups() call to make sure user membership is updated. The simple
access provider then only acts on the user entry and groups that were
resolved by the SSSD, so there would be no conflicts between groups from
different sources. This is true for all access control providers in
SSSD, not just "simple".
btw the simple provider has no problem with nested groups either.