<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<pre>man page for sssd-ldap will provide the filter information, but
basically ...
</pre>
<div class="moz-text-flowed" style="font-family: -moz-fixed;
font-size: 12px;" lang="x-western">
<br>
ldap_user_search_base (string)
<br>
An optional base DN to restrict user searches to a
specific subtree.
<br>
<br>
Default: the value of ldap_search_base
<br>
<br>
ldap_group_search_base (string)
<br>
An optional base DN to restrict group searches to a
specific subtree.
<br>
<br>
Default: the value of ldap_search_base
<br>
<br>
ldap_access_filter (string)
<br>
If using access_provider = ldap, this option is
mandatory. It specifies an LDAP search filter criteria that must
be met
<br>
for the user to be granted access on this host. If
access_provider = ldap and this option is not set, it will result
in
<br>
all users being denied access. Use access_provider =
allow to change this default behavior.
<br>
<br>
Example:
<br>
<br>
access_provider = ldap
<br>
ldap_access_filter =
memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
<br>
<br>
This example means that access to this host is
restricted to members of the "allowedusers" group in ldap.
<br>
<br>
Offline caching for this feature is limited to
determining whether the user´s last online login was granted
access
<br>
permission. If they were granted access during their
last login, they will continue to be granted access while offline
<br>
and vice-versa.
<br>
<br>
Default: Empty
<br>
<br>
See the sssd-ldap(5) manual page for more details.
<br>
<br>
<pre class="moz-signature" cols="72">Mike Khusid
Product Manager
Red Hat Enterprise Linux</pre>
<br>
<br>
-------- Original Message --------
<br>
</div>
On 10/12/2010 09:31 AM, Don Hoover wrote:
<blockquote cite="mid:333479.28483.qm@web65501.mail.ac4.yahoo.com"
type="cite">
<pre wrap="">I am looking at possibly using the new SSSD functionality to replace our existing LDAP configurations and so far it seems like its not 'quite' fully baked.
Right now I have migrated our old RHEL5 /etc/ldap.conf LDAP client configuration to the new nslcd.conf and pam_ldap.conf in RHEL6 without too much trouble.
I am now looking at the new SSSD functionality since I used to use pam_ccred to do credential caching in RHEL5 for disconnected logins, but that is no longer available in RHEL6.
But I have a question about SSSD LDAP configuration that I can't seem to figure out.
Specifically, does SSSD support filtering of passwd/shadow/etc.. like nss_ldap does?
Example, we control access to each of our systems by adding filters to the nss_ldap/nslcd configuration like this that limit only certain groups of users to login:
nslcd (RHEL6 nss):
filter passwd (|(gidNumber=9001)(ou=sysadmins))
filter shadow (|(gidNumber=9001)(ou=sysadmins))
nss ldap.conf (RHEL5 nss):
nss_base_passwd ou=People,o=ourcompany?one?|(gidNumber=9001)(ou=sysadmins)
nss_base_shadow ou=People,o=ourcompany?one?|(gidNumber=9001)(ou=sysadmins)
>From what I can see SSSD only supports setting the base filter:
eg: ou=People,o=ourcompany and there is no way to further filter out the results returned from the ldap server, so new ever user in our directory is suddenly a valid user on that system.
I know the project is pretty much an infant and its still growing, but right now does any one see any way to keep SSSD from just blindly returning every user account?
_______________________________________________
rhelv6-beta-list mailing list
<a class="moz-txt-link-abbreviated" href="mailto:rhelv6-beta-list@redhat.com">rhelv6-beta-list@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/rhelv6-beta-list">https://www.redhat.com/mailman/listinfo/rhelv6-beta-list</a>
</pre>
</blockquote>
<br>
</body>
</html>