On Sat, May 27, 2017 at 07:30:29PM +0200, Lukas Slebodnik wrote:
> On (27/05/17 04:29), Ali, Saqib wrote:
> >Hi Lukas,
> >
> >We don't have freeipa. Is it possible to do host based access control using
> >just ldap and sssd?
> >
> HBAC is implemented only with access_provider ipa.
> GPO is implemented only with access_provider ad.
> 
> It is not possible to use them with plain ldap.
> 
> You might try use pam_hbac https://github.com/jhrozek/pam_hbac
> But it would still require "porting" ldap schema from freeIPA
> to your directory server. Maybe it would be simpler to migrate
> from LDAP -> freeIPA.
> 
> I gave you few options and it is up to you to use the best approach.
> Maybe it would be the simplest to write your own python script
> which will parse sssd.conf and expand groups to list of users :-)

This is currently the best approach, since the access checks are defined on
the client side, the 'audit' has to also be done on the client side. But
it may be still unreliable unless you make sure the configuration can
actually resolve all group members.

Because the only way to expand a group to a list of members is 'getent
group $groupname' and resolving the group takes the maximum LDAP group
nesting into account..so you need to make sure the clients can actually
traverse the group nesting hierarchy.

The most reliable way is to try the access control while generating the
report. If you have a list of usernames in your domain, you can just call
into pam access. With the next sssd release (or with rhel-7.4) you'd be
also able to do that with a tool:

# sssctl user-checks admin -s su
user: admin
action: acct
service: su

SSSD nss user lookup result:
 - user name: admin
 - user id: 972400000
 - group id: 972400000
 - gecos: Administrator
 - home directory: /home/admin
 - shell: /bin/bash

SSSD InfoPipe user lookup result:
 - name: admin
 - uidNumber: 972400000
 - gidNumber: 972400000
 - gecos: Administrator
 - homeDirectory: /home/admin
 - loginShell: /bin/bash

testing pam_acct_mgmt

pam_acct_mgmt: Success <--------- Here

PAM Environment:
 - no env -
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to