Re: [SSSD-users] How to restrict users by GID
We did some testing on these and while for some reason I botched the syntax for the filter, we finally got both solutions to work. It should be noted that the component between the question marks, in this case "?one?" can take on any one of four valuesbase|one|sub|children. In our case we had to use sub or remove that component from the filter to get this to work as our groups of users are actually each in their own OU's. Thanks to all that replied. -Original Message- From: sssd-users-boun...@lists.fedorahosted.org [mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf Of Stephen Gallagher Sent: Friday, April 12, 2013 8:46 AM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] How to restrict users by GID -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/12/2013 08:26 AM, Licause, Al (BCS) wrote: > The following entry into an ldap.conf file on a RHEL V5 system > provides for the ability to limit users > > based in their GID values: > > > > nss_base_passwd OU=ldap,DC=mydomain,DC=net?one?|(gidNumber=11001) > (gidNumber=11003) > > > > Only those users with GID’s of 11001 or 11003 can login. All others > are prohibited. > > > > I’ve tried the same filter in sssd.conf on a v6 RHEL system but can’t > seem to get it to work. > > It doesn’t cause any syntax errors but it is ignored. > > > > I’ve also tried placing an “=” sign after the nss_base_passwd string > and quoting everything after > > the “=” sign….to no avail. > > > > Can anyone explain the sssd syntax for accomplishing this task ? > > There are two ways to accomplish what you're asking, depending on what you really mean: The way that behaved in nss_ldap was that only users whose primaryGID was wither 11001 or 11003 would be *visible* to the system. That means that any other user would not appear with 'getent passwd username' if they didn't have the right primary GID. This can be done in sssd with the ldap_user_search_base option: ldap_user_search_base = OU=ldap,DC=mydomain,DC=net?one?(|(gidNumber=11001) (gidNumber=11003)) However, if you want all users to be viewable with 'getent passwd username' but only some users able to log in, you want to do this instead: ldap_user_search_base = OU=ldap,DC=mydomain,DC=net?one? access_provider = ldap ldap_access_order = filter ldap_access_filter = (|(gidNumber=11001) (gidNumber=11003)) This will allow the system to "see" all users, but only permit those with that primary GID to actually log in. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlFoAhIACgkQeiVVYja6o6MBrQCfehTUMu0LJjX18VNLuykL0sMC KgMAni0xMfrKcpJFpPLgmQ5XXi6AVT1Q =ZOIw -END PGP SIGNATURE- ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Re: [SSSD-users] How to restrict users by GID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/12/2013 08:26 AM, Licause, Al (BCS) wrote: > The following entry into an ldap.conf file on a RHEL V5 system > provides for the ability to limit users > > based in their GID values: > > > > nss_base_passwd OU=ldap,DC=mydomain,DC=net?one?|(gidNumber=11001) > (gidNumber=11003) > > > > Only those users with GID’s of 11001 or 11003 can login. All > others are prohibited. > > > > I’ve tried the same filter in sssd.conf on a v6 RHEL system but > can’t seem to get it to work. > > It doesn’t cause any syntax errors but it is ignored. > > > > I’ve also tried placing an “=” sign after the nss_base_passwd > string and quoting everything after > > the “=” sign….to no avail. > > > > Can anyone explain the sssd syntax for accomplishing this task ? > > There are two ways to accomplish what you're asking, depending on what you really mean: The way that behaved in nss_ldap was that only users whose primaryGID was wither 11001 or 11003 would be *visible* to the system. That means that any other user would not appear with 'getent passwd username' if they didn't have the right primary GID. This can be done in sssd with the ldap_user_search_base option: ldap_user_search_base = OU=ldap,DC=mydomain,DC=net?one?(|(gidNumber=11001) (gidNumber=11003)) However, if you want all users to be viewable with 'getent passwd username' but only some users able to log in, you want to do this instead: ldap_user_search_base = OU=ldap,DC=mydomain,DC=net?one? access_provider = ldap ldap_access_order = filter ldap_access_filter = (|(gidNumber=11001) (gidNumber=11003)) This will allow the system to "see" all users, but only permit those with that primary GID to actually log in. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlFoAhIACgkQeiVVYja6o6MBrQCfehTUMu0LJjX18VNLuykL0sMC KgMAni0xMfrKcpJFpPLgmQ5XXi6AVT1Q =ZOIw -END PGP SIGNATURE- ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Re: [SSSD-users] How to restrict users by GID
On Fri, Apr 12, 2013 at 12:26:15PM +, Licause, Al (BCS) wrote: > The following entry into an ldap.conf file on a RHEL V5 system provides for > the ability to limit users > based in their GID values: > > nss_base_passwd OU=ldap,DC=mydomain,DC=net?one?|(gidNumber=11001) > (gidNumber=11003) > > Only those users with GID's of 11001 or 11003 can login. All others are > prohibited. > > I've tried the same filter in sssd.conf on a v6 RHEL system but can't seem to > get it to work. > It doesn't cause any syntax errors but it is ignored. > > I've also tried placing an "=" sign after the nss_base_passwd string and > quoting everything after > the "=" signto no avail. > > Can anyone explain the sssd syntax for accomplishing this task ? > > Thanks in advance. > > Al Licause > Hi, have you checked the ldap_access_filter option? Maybe that's what you're looking for. ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
[SSSD-users] How to restrict users by GID
The following entry into an ldap.conf file on a RHEL V5 system provides for the ability to limit users based in their GID values: nss_base_passwd OU=ldap,DC=mydomain,DC=net?one?|(gidNumber=11001) (gidNumber=11003) Only those users with GID's of 11001 or 11003 can login. All others are prohibited. I've tried the same filter in sssd.conf on a v6 RHEL system but can't seem to get it to work. It doesn't cause any syntax errors but it is ignored. I've also tried placing an "=" sign after the nss_base_passwd string and quoting everything after the "=" signto no avail. Can anyone explain the sssd syntax for accomplishing this task ? Thanks in advance. Al Licause ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users