Hi all,
I was just looking at various access control methods and reading through https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryAccessControl and various older threads on this list, and I got the impression that pam_access isn't recommended. Is that true?
In cases where you want to restrict access by group membership, what are the advantages of using SSSD's /access_provider = simple/ or /access_provider = ldap/ over pam_access?
AFAICS, pam_access may actually make more sense as it works OK with local and domain groups, nested groups, can be used with different access restrictions for different services, and can be combined with SSSD's /access_provider = ldap/ + /ldap_access_order = expire/ to also handle expired/disabled accounts.
Am I missing anything?
Thanks, Michael
********************************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee and access to the email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients, any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing client engagement leter or contract. If you have received this email in error please notify support@henderson-group.com
John Henderson (Holdings) Ltd Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, BT36 4RT. Registered in Northern Ireland Registration Number NI010588 Vat No.: 814 6399 12 *********************************************************************************
On Fri, Oct 25, 2013 at 03:10:34PM +0100, Michael Gliwinski wrote:
Hi all,
Hi Michael, sorry for the late reply, most of the team was busy prepairing the 1.11.2 release.
I was just looking at various access control methods and reading through https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryAccessControl and various older threads on this list, and I got the impression that pam_access isn't recommended. Is that true?
Not strictly, but by using a different access mechanism that one in SSSD you lose one advantage, see below.
In cases where you want to restrict access by group membership, what are the advantages of using SSSD's /access_provider = simple/ or /access_provider = ldap/ over pam_access?
AFAICS, pam_access may actually make more sense as it works OK with local and domain groups, nested groups, can be used with different access restrictions for different services, and can be combined with SSSD's /access_provider = ldap/ + /ldap_access_order = expire/ to also handle expired/disabled accounts.
Am I missing anything?
Thanks, Michael
I would say the simple access provider is what it's called, it's simple :-)
One other advantage I see is that the PAM and NSS parts of SSSD are tied together, so when the PAM responder is invoked, it calls the initgroups() call to make sure user membership is updated. The simple access provider then only acts on the user entry and groups that were resolved by the SSSD, so there would be no conflicts between groups from different sources. This is true for all access control providers in SSSD, not just "simple".
btw the simple provider has no problem with nested groups either.
sssd-users@lists.fedorahosted.org