[Freeipa-users] Limiting Host access by UID/GID
Dmitri Pal
dpal at redhat.com
Thu May 30 23:23:38 UTC 2013
On 05/30/2013 06:52 PM, Chandan Kumar wrote:
> Hello,
>
> As part of migration from passwd/shadow to IPA, I want to roll out
> IPA/SSSD based password first for a small number of users and then for
> all. (same goes with host. first small number of host and then all).
>
> I was trying to limit it using max_id/min_id parameters in sssd but it
> does not seems to work the way I expected.
> -------
> min_id = 5000
> max_id = 5100
> ------
> So there is a user "kchandan" with UID/GID 20000
> ------
> [root at tipa1 ~]# id kchandan
> uid=20000(kchandan) gid=20000 groups=20000
> -------
>
> But It is allowing me to login with that ID with only error showing
> GID 20000 not found.
> -----------
> ssh 10.2.3.105 -l kchandan
> kchandan at 10.2.3.105 <mailto:kchandan at 10.2.3.105>'s password:
> id: cannot find name for group ID 20000
> -------------
>
> Is there any way to achieve this?
So you want to allow only a subset of users with a specific range to log
into the systems controlled by SSSD before you open it to a broader public?
I would defer to SSSD gurus but the hack that comes to mind is to
configure a simple access provider to limit the access to just the users
you care about (man sssd-simple) or configure ldap access provider based
on a filter (man sssd-ldap).
>
> Thanks
> Chandan
>
>
> --
>
> --
> http://about.me/chandank
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130530/c602ac5e/attachment.htm>
More information about the Freeipa-users
mailing list