[Freeipa-users] Limiting Host access by UID/GID

[Jakub Hrozek]

On Thu, May 30, 2013 at 07:23:38PM -0400, Dmitri Pal wrote:
> On 05/30/2013 06:52 PM, Chandan Kumar wrote:
> > Hello,
> >
> > As part of migration from passwd/shadow to IPA, I want to roll out
> > IPA/SSSD based password first for a small number of users and then for
> > all. (same goes with host. first small number of host and then all).
> >
> > I was trying to limit it using max_id/min_id parameters in sssd but it
> > does not seems to work the way I expected.
> > -------
> > min_id = 5000
> > max_id = 5100
> > ------
> > So there is a user "kchandan" with UID/GID 20000
> > ------
> > [root at tipa1 ~]# id kchandan
> > uid=20000(kchandan) gid=20000 groups=20000
> > -------
> >
> > But It is allowing me to login with that ID with only error showing
> > GID 20000 not found.
> > -----------
> > ssh 10.2.3.105 -l kchandan
> > kchandan at 10.2.3.105 <mailto:kchandan at 10.2.3.105>'s password: 
> > id: cannot find name for group ID 20000
> > -------------
> >
> > Is there any way to achieve this?
> 
> So you want to allow only a subset of users with a specific range to log
> into the systems controlled by SSSD before you open it to a broader public?
> I would defer to SSSD gurus but the hack that comes to mind is to
> configure a simple access provider to limit the access to just the users
> you care about (man sssd-simple) or configure ldap access provider based
> on a filter (man sssd-ldap).

Hi,

The user shouldn't be even saved to cache if it's filtered out of range.

But looking at the current NSS code, the entry would have been returned if
it was saved *before* you changed the min_id/max_id parameters. Could that be
the case? Can you check if after removing the cache the entry still shows up?

I think that the fact that the entry is returned from cache even if it
should be filtered out is a bug:
https://fedorahosted.org/sssd/ticket/1954