Hi everyone,
I have been aware on this list about "access_provider" and
"ldap_access_order" that I ignored (thank you again) and I'm know testing
couple of things.
I try to configure SSSD for host based access control (enabeling the
behavior of pam_check_host_attr) and the following works for me :
On the client side (hostname = gaia01.sandbox.example.fr), I added this to
my sssd.conf:
access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host
I have added the objectclass hostObject to my users on the ldap side and I
see that :
- if attribute host is not set in ldap for a user, then access to
gaia01.sandbox.example.fr is refused
- if attribute host is set for a user to gaia01.sandbox.example.fr then
access is granted for that user on gaia01.sandbox.example.fr
- if attribute host is set for a user to '*' then access is granted for
that user on gaia01.sandbox.example.fr
- if attribute host is set to anything else then access to
gaia01.sandbox.example.fr is refused
-> so far so good, that's what I (almost) expected.
My problem know is that I would like to grant access to certain users to
all hosts in the sandbox space.
I tryed to set attribute host for a user to '*.sandbox.*' (I also tried
'*sandbox*') and I see that access to gaia01.sandbox.example.fr is refused
My question is : are jokers supported in the host attribute ?
And the bonus question : if not, what would you recommend to tune user
autorisations in ldap so that they can only log to all machines that
contain a specific label in there hostname (or why not all hosts that are
hosted in a specific network).
Thanks,
--
Olivier
Show replies by date