[Freeipa-users] Freeipa and limiting access by group (memberOf)

Tue, 16 May 2017 07:00:43 -0700 

Hi Folks,
Last week I deployed freeipa on a CentOS7 VM. The installation went very smoothly using: 

    yum install ipa-server

and

    ipa-server-install



My issue is with connecting a CentOS 7 client.  On my client, I yum 
installed  ipa-client and ipa-admintools.
I than ran  "ipa-client-install"  and answered the setup questions (very 
easy and smooth).



The "getent passwd" command didn't return any users, but the "getent 
passwd jdoe" does give the information
for the user.   I found in the archives that I can set "enumerate=True" 
so I get a complete user listing.   That
seems to be working, and I was able to login with the account "jdoe" 
(brilliant!).


Problem 1:
========

I created a user group on the ipa server  with the following attributes:

   name = xyx,  gid = 1000


I changed the user "jdoe" to have gid = 1000, but when I ssh into the 
ipa client, I get the following message after

logging in:

/usr/bin/id: cannot find name for group ID 1000

A "getent group" command does list the group:     xyz:*:1000:

A "groups" command issued by the user shows:   xyz

files created by the user show the correct ownership and group.

Problem 2:
=======


I've been looking through the freeipa groups and literature and I can't 
figure out how to limit user login access to

an ipa client by a memberOf group.


When I was using CentOS 6 and 7 I could use the nslcd.conf file to put 
in a group filter like:



passwd 
(&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu))




I tried changing the access_provider to simple and using the 
"simply_allow_groups = test", but that didn't work.
However, using "access_provider = ipa" and "filter_users" did allow me 
to filter out a user from the "getent passwd" command.



I tried changing the access_provider to ldap and using the filter 
"ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu

but that failed too.


I'd appreciate any suggestions

Thanks,

- signed an "ipa newbie"

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





















					Reply via email to