On 06/04/2013 10:13 AM, Bryan Harris wrote: > Hi all, > > I have the following lines in my file /etc/security/access.conf for > the purpose of my testing. > > - : bryan.harris.adm : ALL > - : ALL : ALL > > When I place the following into /etc/pam.d/sshd I can prevent my > login. The error is "pam_access(sshd:account): access denied for user > `bryan.harris.adm' from" which looks like exactly what I want to see. > > account required pam_access.so > > When I place the following into /etc/pam.d/sshd I can once again login > just fine and access.conf seems to be ignored. > > account required pam_access.so listsep=, > > The motivation is that I want to only allow the AD group "Linux > Admins" (without quotes) to be able to login. So eventually I want to > get a line like - : @Linux Admins : ALL into my > /etc/security/access.conf file. > > Can anyone explain how I can make this work properly? I doubt I can > convince the Windows guys to not use spaces in their group names but I > could try. > > Or is it better for me to just use ldap_access_filter and leave the > security up to sssd? The reason I looked into access.conf was to have > another security layer "just in case", but if that's redundant and > unnecessary than I suppose I don't need any of this anyway.
ldap_access_filter seems like the right approach here. I think the example in the sssd-ldap man page shows the exact line that you are looking for access_provider = ldap ldap_access_filter = memberOf=cn=Linux Admins,ou=Groups,dc=example,dc=com > Bryan > > > _______________________________________________ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
