[Freeipa-users] Freeipa and limiting access by group (memberOf)

Wed May 17 15:22:59 UTC 2017

On Tue, May 16, 2017 at 07:56:38AM -0600, Janet Houser wrote:
> Hi Folks,
> 
> Last week I deployed freeipa on a CentOS7 VM.   The installation went very
> smoothly using:
> 
>     yum install ipa-server
> 
> and
> 
>     ipa-server-install
> 
> 
> My issue is with connecting a CentOS 7 client.  On my client, I yum
> installed  ipa-client and ipa-admintools.
> I than ran  "ipa-client-install"  and answered the setup questions (very
> easy and smooth).
> 
> The "getent passwd" command didn't return any users, but the "getent passwd
> jdoe" does give the information
> for the user.   I found in the archives that I can set "enumerate=True" so I
> get a complete user listing.   That
> seems to be working, and I was able to login with the account "jdoe"
> (brilliant!).

I would discourage enumeration especially if you're planning on a large
domain. The performance right now is not great. Moreover, the way the
trusted accounts are retrieved doesn't support enumeration at all
either.

> 
> Problem 1:
> ========
> 
> I created a user group on the ipa server  with the following attributes:
> 
>    name = xyx,  gid = 1000
> 
> I changed the user "jdoe" to have gid = 1000, but when I ssh into the ipa
> client, I get the following message after
> logging in:
> 
> /usr/bin/id: cannot find name for group ID 1000
> 
> A "getent group" command does list the group:     xyz:*:1000:
> 
> A "groups" command issued by the user shows:   xyz
> 
> files created by the user show the correct ownership and group.

I would first try to remove the sssd caches because uid/gid renumbering
doesn't work great. If that doesn't help, please check the sssd logs.

By the way, 1000 is quite low and would most probably clash with local
accounts. I would strongly suggest to stick to ID numbers within the
configured ID range (ipa idrange-find)

> 
> Problem 2:
> =======
> 
> I've been looking through the freeipa groups and literature and I can't
> figure out how to limit user login access to
> an ipa client by a memberOf group.
> 
> When I was using CentOS 6 and 7 I could use the nslcd.conf file to put in a
> group filter like:
> 
> passwd (&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu))
> 
> 
> I tried changing the access_provider to simple and using the
> "simply_allow_groups = test", but that didn't work.
> However, using "access_provider = ipa" and "filter_users" did allow me to
> filter out a user from the "getent passwd" command.
> 
> I tried changing the access_provider to ldap and using the filter
> "ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu
> but that failed too.

Please check out "ipa help hbac"