Trying to finalize a standard setup for access control and finding
there are numerous options for group or username based access control.
I'm using the ad access_provider (2012 R2 servers).
- ad_access_filter
+ Pros: Pretty powerful. I can do nested groups with the proper
syntax. Good speed?
- Cons: Configurations can get pretty ugly (especially with the
nested group ldap syntax) and complex all on one very long
line. Must be in the sssd.conf file so can't have thing
separated easily per-machine or per role that a machine may
participate in.
- simple_allow_groups (with access_provider = simple)
+ Pros: Simple. Readable config.
- Cons: Not sure? Maybe some performance limitations as compared
to ad_access_filter? Don't believe supports nested group
membership.
- pam_access (actually, not sure if this one works, but in theory it
should)
+ Pros: Could externalize / customize per machine or per Ansible
role more easily due to ability to easily use multiple
external include files.
- Cons: Not sure. Another layer in the process so potentially adds
some delay and complexity.
- SSH's AllowGroups (should work with sssd-ad I believe?)
+Pros: Simple.
+Cons: Only works w/ SSH (maybe not a big deal for my use case).
Unsure on speed.
- ad_gpo_access_control (no idea how this one works but sounds
powerful)
+Pros: In theory means everything is managed centrally in AD GPO.
+Cons: I've never tried it so don't know. :-)
Maybe I am missing some good alternatives above? Right now am using
ad_access_filter mostly and planning to use Ansible's templating system
to manage per host or service roles. Could get complex if we end up
needing to do customizations on a per machine basis in certain cases...
Thanks,
Ray
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
