On Fri, Nov 24, 2017 at 10:02:15AM +0000, Conwell, Nik wrote:
Interesting, thanks. I had tried the simple provider but this
didn't
restrict access.
Did you look into the logs why it didn't? Did you use a group that showed
up in the group list of the "id" command?
Since the docs noted that it didn't honor the
"expired"
expired attribute I didn't look into it any closer.
Yes, this is unfortunately true. We have a long-standing RFE to allow
"chaining" of the access providers, but it's not implemented yet.
I'll try this again and look through debug logs to see where it
broke down;
potentially my groups aren't being resolved yet. Are you saying that the
simple provider iterates group membership, which in turn SSSD-LDAP should
be returning?
The simple access provider looks at user entry itself and their groups in
the sssd cache - unlike the access filter, which is applied against the
entry in the LDAP server.
So yes, SSSD first resolves the groups during the initgroups operation
and then runs the simple access check on the result.