On Thu, 28 Apr 2016 13:12:56 +0000 "Kalchik, Jeffery" <JDKalchik@xxxxxxxxxxxxxx> wrote: > Good morning. > > It might be enlightening to define "a lot of machines." I have ~300 > clients tied to a 3 node 389-ds cluster, with a few hundred accounts. > > I've built access restrictions here on the basis of hostname and > NSRole definitions. For Linux hosts using sssd, I have a filter > expression in ldap_user_search_base that ends up something like: > > ldap_user_search_base = > ou=OU,dc=fq,dc=dn?sub?|(host=hostname)(nsrole=cn=Role1,ou=OU,dc=fq,dc=cn)... > > I use a similar expression in /etc/ldap.conf for earlier versions, > using nss_base_passwd (there is a difference in syntax.) As a side > note, I'd started a few years back with the pam_filter call, and > discovered that I was overrunning a buffer. My Linux kickstarts > build these expressions for me automatically, and I've got scripts > set up to extend as necessary. Similar filters work for both AIX and > HP-UX. > Can you give me some ldap.conf example to filter logins? Because I've 5.x RedHat machines that doesn't use sssd, so I need other ways to perform login restrictions. > > adduser? Unless I'm missing something completely, that's only for > local accounts. Yes of course. I wrote that to answer to simple_allow_users suggestion. > > Jeff Kalchik > Systems Engineering > Land O'Lakes > > -----Original Message----- > From: Enrico Morelli [mailto:morelli@xxxxxxxxxxxxx] > Sent: Thursday, April 28, 2016 4:07 AM > To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx > Subject: [389-users] Re: Login restrictions > > On Wed, 27 Apr 2016 17:44:22 -0000 > "Lukas Slebodnik" <lslebodn@xxxxxxxxxxxxxxxxx> wrote: > > > > Is it possible to restrict login only to to whom bound to a > > > determinated group? > > > > > > I tried to use the following lines in sssd.conf but doesn't works: > > > > > > access_provider = ldap > > > ldap_access_order = filter > > > ldap_access_filter = (gidNumber=900) > > I think it might be simpler to use access_provider simple @see man > > sssd-simple > > > > [domain/example.com] > > access_provider = simple > > simple_allow_users = user1, user2 > > Could be, but I think to loose the LDAP benefit. I've a lot of > machines and to avoid to create/remove users on each machine I > installed 389ds. So if I've to add/remove user to the > simple_allow_users on each machine I can continue to use adduser. Or > not? > > -- > ------------------------------------------------------------- > Enrico Morelli > System Administrator | Programmer | Web Developer > > CERM - Polo Scientifico > Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY > phone: +39 055 457 4269 > fax: +39 055 457 4927 > ------------------------------------------------------------- > -- > 389-users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx > This message may contain confidential material from Land O'Lakes, > Inc. (or its subsidiary) for the sole use of the intended > recipient(s) and may not be reviewed, disclosed, copied, distributed > or used by anyone other than the intended recipient(s). If you are > not the intended recipient, please contact the sender by reply email > and delete all copies of this message. -- 389-users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx -- ------------------------------------------------------------- Enrico Morelli System Administrator | Programmer | Web Developer CERM - Polo Scientifico Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY phone: +39 055 457 4269 fax: +39 055 457 4927 ------------------------------------------------------------- -- 389-users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
