Thanks a lot, it works. Changed
simple_allow_groups = Simple Users(a)FOOBAR.GLOBAL
to
simple_allow_groups = Simple Users(a)FOOBAR_NOLOGIN.GLOBAL
and it works as intended.
One thing to keep in mind: These AD users must now be referenced in Linux (e.g.
in /etc/sudoers) not by their AD domain
SSSD logs would show this better, but I wonder if this is related to also using
the AD domain name in the simple access filter. Do logins work if you use the
name of the sssd section there instead of the AD domain name? Or, do the logins
work if you comment out the access provider for a test?
The server my Apache is running on is joined to domain and running sssd.
The point is, that I need to authorize users based on a groups they are member
of.
I do not think mod_authz_pam is capable of doing that.
Mod_authz_unixgroup is doing what I need, but that's not in RH repo.
That's why I
I don't think mod_lookup_identity is what you are looking for, it does not deal
with access authorization.
You don't say how your users authenticate, so I'll assume you have that sorted
out. In that case, mod_authnz_pam might be the way to go. You mention you use
SSSD, so configuring just
An user belonging to the Simple Users group is resolved correctly via either
one of these commands:
id simpleuser@FOOBAR_NOLOGIN.GLOBAL
id simpleuser@FOOBAR.GLOBAL
Similarly, an user belonging to the Administrators group can be seen via either
one of these commands:
id
> On 31 Aug 2018, at 17:34, Daniele Raffo wrote:
>
> Hello,
>
> I'm trying to define two sssd groups in order to assign a different login
> shell to AD users belonging to two different AD groups in our domain
> FOOBAR.GLOBAL.
> However, all users are unable to login and get an error