On Sat, May 27, 2017 at 07:30:29PM +0200, Lukas Slebodnik wrote: > On (27/05/17 04:29), Ali, Saqib wrote: > >Hi Lukas, > > > >We don't have freeipa. Is it possible to do host based access control using > >just ldap and sssd? > > > HBAC is implemented only with access_provider ipa. > GPO is implemented only with access_provider ad. > > It is not possible to use them with plain ldap. > > You might try use pam_hbac https://github.com/jhrozek/pam_hbac > But it would still require "porting" ldap schema from freeIPA > to your directory server. Maybe it would be simpler to migrate > from LDAP -> freeIPA. > > I gave you few options and it is up to you to use the best approach. > Maybe it would be the simplest to write your own python script > which will parse sssd.conf and expand groups to list of users :-)
This is currently the best approach, since the access checks are defined on the client side, the 'audit' has to also be done on the client side. But it may be still unreliable unless you make sure the configuration can actually resolve all group members. Because the only way to expand a group to a list of members is 'getent group $groupname' and resolving the group takes the maximum LDAP group nesting into account..so you need to make sure the clients can actually traverse the group nesting hierarchy. The most reliable way is to try the access control while generating the report. If you have a list of usernames in your domain, you can just call into pam access. With the next sssd release (or with rhel-7.4) you'd be also able to do that with a tool: # sssctl user-checks admin -s su user: admin action: acct service: su SSSD nss user lookup result: - user name: admin - user id: 972400000 - group id: 972400000 - gecos: Administrator - home directory: /home/admin - shell: /bin/bash SSSD InfoPipe user lookup result: - name: admin - uidNumber: 972400000 - gidNumber: 972400000 - gecos: Administrator - homeDirectory: /home/admin - loginShell: /bin/bash testing pam_acct_mgmt pam_acct_mgmt: Success <--------- Here PAM Environment: - no env - _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
