That's doing what I need! Thank you.
On Fri, Aug 29, 2014 at 9:57 AM, Kyle Flavin <kyle.fla...@gmail.com> wrote: > Hi Jacob, > I'll give that a try shortly, and update with the result. > > > On Fri, Aug 29, 2014 at 9:43 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > >> >> On 29 Aug 2014, at 18:33, Kyle Flavin <kyle.fla...@gmail.com> wrote: >> >> > I'm doing some testing to integrate FreeIPA into my environment. I >> need to setup two domains in sssd.conf; One is my fresh install of IPA, and >> the other is our legacy LDAP environment. >> > >> > I want to use IPA for ssh logins to servers. I want to be able to >> grant/deny SSH access through IPA. However, I still need the legacy LDAP >> connected to ensure our servers still see the same file level permissions >> in their content directories. >> > >> > I added two domains to SSSD (config below), and it works fine as far as >> seeing all accounts and groups. My problem is, SSSD is now allowing SSH >> access from both IPA and from LDAP. I don't want users in our legacy LDAP >> environment to be able to login to servers. Is there a way to say "allow >> SSH from this domain", and "disallow SSH from this other domain”? >> >> Can you try auth_provider=none in the domain that is not supposed to >> authenticate? >> >> >> > >> >> > Sanitized version of my sssd.conf: >> > >> > [domain/newipa.com] >> > cache_credentials = True >> > krb5_store_password_if_offline = True >> > ipa_domain = newipa.com >> > id_provider = ipa >> > auth_provider = ipa >> > access_provider = ipa >> > ipa_hostname = client.newipa.com >> > chpass_provider = ipa >> > ipa_server = _srv_, ipaserver.newipa.com >> > ldap_tls_cacert = /etc/ipa/ca.crt >> > >> > [domain/oldldap.com] >> > #legacy LDAP >> > ldap_id_use_start_tls = True >> > cache_credentials = True >> > ldap_search_base = dc=oldldap,dc=com >> > id_provider = ldap >> > auth_provider = ldap >> > chpass_provider = ldap >> > ldap_uri = ldap://ldapserver.oldldap.com >> > #ldap_tls_cacertdir = /etc/openldap/cacerts >> > ldap_tls_reqcert = never >> > >> > >> > [sssd] >> > services = nss, pam, ssh >> > config_file_version = 2 >> > domains = newipa.com, oldldap.com >> > >> > >> > Thanks. >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go To http://freeipa.org for more info on the project >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project