I wish the control to be external to the system. It allows us to group people by
dept/courses/etc and add them to systems when desired, rather than having to change SSSD
periodically. So management within AD is preferable.
I did sort of figure that PAM was going to be the local user control but wasn't sure
if SSSD could handle that as well. Thanks!
Also, thank you Personne that looks like what I need to do.
-----Original Message-----
From: patrick.hush(a)comcast.net <patrick.hush(a)comcast.net>
Sent: 10 June 2020 16:24
To: End-user discussions about the System Security Services Daemon
<sssd-users(a)lists.fedorahosted.org>; Sangster, Mark
<m.v.sangster(a)abdn.ac.uk>
Subject: Re: [SSSD-users] Access Filters
CAUTION: External email. Ensure this message is from a trusted source before clicking
links/attachments.
Rather than filtering off a single group, why not use the simple_allow_groups key value?
This will allow mulitiple groups to access the system should the need ever arise.
For the local users, that is outside sssd for the most part, look at your pam configs and
nsswitch.
On June 10, 2020 at 5:42 AM "Sangster, Mark"
<m.v.sangster(a)abdn.ac.uk> wrote:
Hello,
I was attempting to utilise the AD provider for access control, however I cannot make it
work with members of nested groups. i.e. when using the LDAP_MATCHING_RULE_IN_CHAIN.
This functions:
access_provider = ldap
ldap_sasl_authid = SERVER$@DOMAIN
ldap_access_filter =
(memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN)
This doesn’t:
access_provider = ad
ad_access_filter =
(memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN)
Have I missed anything?
It would also be useful if it is possible to allow local users access alongside the
remote users. e.g. allow both “domain_account” and “local_account” access. Is that
possible?
Thanks
Mark
----------------------------------------------------------------------
--
Mark Sangster
Server Infrastructure Specialist
Information Technology Services | University of Aberdeen
t: +44 (0)1224 27-3315 | e: mailto:mark@abdn.ac.uk | u:
http://www.abdn.ac.uk/it/
The University of Aberdeen is a charity registered in Scotland, No SC013683.
Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. SC013683.
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To
unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedoraho
sted.org
The University of Aberdeen is a charity registered in Scotland, No SC013683.
Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. SC013683.