[Freeipa-users] Freeipa and limiting access by group (memberOf)
Jakub Hrozek
jhrozek at redhat.com
Wed May 17 15:22:59 UTC 2017
On Tue, May 16, 2017 at 07:56:38AM -0600, Janet Houser wrote:
> Hi Folks,
>
> Last week I deployed freeipa on a CentOS7 VM. The installation went very
> smoothly using:
>
> yum install ipa-server
>
> and
>
> ipa-server-install
>
>
> My issue is with connecting a CentOS 7 client. On my client, I yum
> installed ipa-client and ipa-admintools.
> I than ran "ipa-client-install" and answered the setup questions (very
> easy and smooth).
>
> The "getent passwd" command didn't return any users, but the "getent passwd
> jdoe" does give the information
> for the user. I found in the archives that I can set "enumerate=True" so I
> get a complete user listing. That
> seems to be working, and I was able to login with the account "jdoe"
> (brilliant!).
I would discourage enumeration especially if you're planning on a large
domain. The performance right now is not great. Moreover, the way the
trusted accounts are retrieved doesn't support enumeration at all
either.
>
> Problem 1:
> ========
>
> I created a user group on the ipa server with the following attributes:
>
> name = xyx, gid = 1000
>
> I changed the user "jdoe" to have gid = 1000, but when I ssh into the ipa
> client, I get the following message after
> logging in:
>
> /usr/bin/id: cannot find name for group ID 1000
>
> A "getent group" command does list the group: xyz:*:1000:
>
> A "groups" command issued by the user shows: xyz
>
> files created by the user show the correct ownership and group.
I would first try to remove the sssd caches because uid/gid renumbering
doesn't work great. If that doesn't help, please check the sssd logs.
By the way, 1000 is quite low and would most probably clash with local
accounts. I would strongly suggest to stick to ID numbers within the
configured ID range (ipa idrange-find)
>
> Problem 2:
> =======
>
> I've been looking through the freeipa groups and literature and I can't
> figure out how to limit user login access to
> an ipa client by a memberOf group.
>
> When I was using CentOS 6 and 7 I could use the nslcd.conf file to put in a
> group filter like:
>
> passwd (&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu))
>
>
> I tried changing the access_provider to simple and using the
> "simply_allow_groups = test", but that didn't work.
> However, using "access_provider = ipa" and "filter_users" did allow me to
> filter out a user from the "getent passwd" command.
>
> I tried changing the access_provider to ldap and using the filter
> "ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu
> but that failed too.
Please check out "ipa help hbac"
More information about the Freeipa-users
mailing list