[Freeipa-users] Freeipa and limiting access by group (memberOf)
Jakub Hrozek
jhrozek at redhat.com
Thu May 18 18:19:52 UTC 2017
On Thu, May 18, 2017 at 10:37:57AM -0600, Janet Houser wrote:
>
>
> On 5/17/17 9:22 AM, Jakub Hrozek wrote:
> > On Tue, May 16, 2017 at 07:56:38AM -0600, Janet Houser wrote:
> > > Hi Folks,
> > >
> > > Last week I deployed freeipa on a CentOS7 VM. The installation went very
> > > smoothly using:
> > >
> > > yum install ipa-server
> > >
> > > and
> > >
> > > ipa-server-install
> > >
> > >
> > > My issue is with connecting a CentOS 7 client. On my client, I yum
> > > installed ipa-client and ipa-admintools.
> > > I than ran "ipa-client-install" and answered the setup questions (very
> > > easy and smooth).
> > >
> > > The "getent passwd" command didn't return any users, but the "getent passwd
> > > jdoe" does give the information
> > > for the user. I found in the archives that I can set "enumerate=True" so I
> > > get a complete user listing. That
> > > seems to be working, and I was able to login with the account "jdoe"
> > > (brilliant!).
> > I would discourage enumeration especially if you're planning on a large
> > domain. The performance right now is not great. Moreover, the way the
> > trusted accounts are retrieved doesn't support enumeration at all
> > either.
>
> Copy that. Enumeration is set to true just for testing. It will be
> disabled later.
> >
> > > Problem 1:
> > > ========
> > >
> > > I created a user group on the ipa server with the following attributes:
> > >
> > > name = xyx, gid = 1000
> > >
> > > I changed the user "jdoe" to have gid = 1000, but when I ssh into the ipa
> > > client, I get the following message after
> > > logging in:
> > >
> > > /usr/bin/id: cannot find name for group ID 1000
> > >
> > > A "getent group" command does list the group: xyz:*:1000:
> > >
> > > A "groups" command issued by the user shows: xyz
> > >
> > > files created by the user show the correct ownership and group.
> > I would first try to remove the sssd caches because uid/gid renumbering
> > doesn't work great. If that doesn't help, please check the sssd logs.
>
> Didn't work, and the logs aren't really being helpful, but I'll dig further.
Feel free to paste some sanitized snippet here..
>
> >
> > By the way, 1000 is quite low and would most probably clash with local
> > accounts. I would strongly suggest to stick to ID numbers within the
> > configured ID range (ipa idrange-find)
> >
> > > Problem 2:
> > > =======
> > >
> > > I've been looking through the freeipa groups and literature and I can't
> > > figure out how to limit user login access to
> > > an ipa client by a memberOf group.
> > >
> > > When I was using CentOS 6 and 7 I could use the nslcd.conf file to put in a
> > > group filter like:
> > >
> > > passwd (&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu))
> > >
> > >
> > > I tried changing the access_provider to simple and using the
> > > "simply_allow_groups = test", but that didn't work.
> > > However, using "access_provider = ipa" and "filter_users" did allow me to
> > > filter out a user from the "getent passwd" command.
> > >
> > > I tried changing the access_provider to ldap and using the filter
> > > "ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu
> > > but that failed too.
> > Please check out "ipa help hbac"
> >
> I just realized hbac is host based access control. I can't really use this
> since I need to restrict certain users
> to resources. Since freeipa is based on directory server 389, I'm assuming
> it can do group / memberOf filtering.
What are the resources we're talking about here?
>
> Any suggestions would be appreciated.
More information about the Freeipa-users
mailing list