[Freeipa-users] Freeipa and limiting access by group (memberOf)
Janet Houser
houser at nso.edu
Tue May 16 13:56:38 UTC 2017
Hi Folks,
Last week I deployed freeipa on a CentOS7 VM. The installation went
very smoothly using:
yum install ipa-server
and
ipa-server-install
My issue is with connecting a CentOS 7 client. On my client, I yum
installed ipa-client and ipa-admintools.
I than ran "ipa-client-install" and answered the setup questions (very
easy and smooth).
The "getent passwd" command didn't return any users, but the "getent
passwd jdoe" does give the information
for the user. I found in the archives that I can set "enumerate=True"
so I get a complete user listing. That
seems to be working, and I was able to login with the account "jdoe"
(brilliant!).
Problem 1:
========
I created a user group on the ipa server with the following attributes:
name = xyx, gid = 1000
I changed the user "jdoe" to have gid = 1000, but when I ssh into the
ipa client, I get the following message after
logging in:
/usr/bin/id: cannot find name for group ID 1000
A "getent group" command does list the group: xyz:*:1000:
A "groups" command issued by the user shows: xyz
files created by the user show the correct ownership and group.
Problem 2:
=======
I've been looking through the freeipa groups and literature and I can't
figure out how to limit user login access to
an ipa client by a memberOf group.
When I was using CentOS 6 and 7 I could use the nslcd.conf file to put
in a group filter like:
passwd
(&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu))
I tried changing the access_provider to simple and using the
"simply_allow_groups = test", but that didn't work.
However, using "access_provider = ipa" and "filter_users" did allow me
to filter out a user from the "getent passwd" command.
I tried changing the access_provider to ldap and using the filter
"ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu
but that failed too.
I'd appreciate any suggestions
Thanks,
- signed an "ipa newbie"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170516/83c5afec/attachment.htm>
More information about the Freeipa-users
mailing list