[Freeipa-users] Freeipa and limiting access by group (memberOf)

Thu May 18 18:19:52 UTC 2017

On Thu, May 18, 2017 at 10:37:57AM -0600, Janet Houser wrote:
> 
> 
> On 5/17/17 9:22 AM, Jakub Hrozek wrote:
> > On Tue, May 16, 2017 at 07:56:38AM -0600, Janet Houser wrote:
> > > Hi Folks,
> > > 
> > > Last week I deployed freeipa on a CentOS7 VM.   The installation went very
> > > smoothly using:
> > > 
> > >      yum install ipa-server
> > > 
> > > and
> > > 
> > >      ipa-server-install
> > > 
> > > 
> > > My issue is with connecting a CentOS 7 client.  On my client, I yum
> > > installed  ipa-client and ipa-admintools.
> > > I than ran  "ipa-client-install"  and answered the setup questions (very
> > > easy and smooth).
> > > 
> > > The "getent passwd" command didn't return any users, but the "getent passwd
> > > jdoe" does give the information
> > > for the user.   I found in the archives that I can set "enumerate=True" so I
> > > get a complete user listing.   That
> > > seems to be working, and I was able to login with the account "jdoe"
> > > (brilliant!).
> > I would discourage enumeration especially if you're planning on a large
> > domain. The performance right now is not great. Moreover, the way the
> > trusted accounts are retrieved doesn't support enumeration at all
> > either.
> 
> Copy that.  Enumeration is set to true just for testing.  It will be
> disabled later.
> > 
> > > Problem 1:
> > > ========
> > > 
> > > I created a user group on the ipa server  with the following attributes:
> > > 
> > >     name = xyx,  gid = 1000
> > > 
> > > I changed the user "jdoe" to have gid = 1000, but when I ssh into the ipa
> > > client, I get the following message after
> > > logging in:
> > > 
> > > /usr/bin/id: cannot find name for group ID 1000
> > > 
> > > A "getent group" command does list the group:     xyz:*:1000:
> > > 
> > > A "groups" command issued by the user shows:   xyz
> > > 
> > > files created by the user show the correct ownership and group.
> > I would first try to remove the sssd caches because uid/gid renumbering
> > doesn't work great. If that doesn't help, please check the sssd logs.
> 
> Didn't work, and the logs aren't really being helpful, but I'll dig further.

Feel free to paste some sanitized snippet here..

> 
> > 
> > By the way, 1000 is quite low and would most probably clash with local
> > accounts. I would strongly suggest to stick to ID numbers within the
> > configured ID range (ipa idrange-find)
> > 
> > > Problem 2:
> > > =======
> > > 
> > > I've been looking through the freeipa groups and literature and I can't
> > > figure out how to limit user login access to
> > > an ipa client by a memberOf group.
> > > 
> > > When I was using CentOS 6 and 7 I could use the nslcd.conf file to put in a
> > > group filter like:
> > > 
> > > passwd (&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu))
> > > 
> > > 
> > > I tried changing the access_provider to simple and using the
> > > "simply_allow_groups = test", but that didn't work.
> > > However, using "access_provider = ipa" and "filter_users" did allow me to
> > > filter out a user from the "getent passwd" command.
> > > 
> > > I tried changing the access_provider to ldap and using the filter
> > > "ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu
> > > but that failed too.
> > Please check out "ipa help hbac"
> > 
> I just realized hbac is host based access control.   I can't really use this
> since I need to restrict certain users
> to resources.   Since freeipa is based on directory server 389, I'm assuming
> it can do group / memberOf filtering.

What are the resources we're talking about here?

> 
> Any suggestions would be appreciated.