0

we're using openldap server with sssd for user authentication on centos and everything works fine. however, when we try to setup access filter to restrict login to users of a certain group (linuxgroup) as there are a lot of other users in the openldap server.

the issue is in openldap there is no memberof attribute, anyone know how to make it work to filter groups in openldap?

frasertweedale
  • 5,424
  • 3
  • 26
  • 38
Daniel
  • 269
  • 4
  • 15

2 Answers2

0

There is indeed a memberOf attribute in OpenLDAP, but you have to enable and configure the 'memberOf' overlay, and you have to do it before you add any members to groups, or else go thought e directory and delete and add-back every member from every group, so asto poppet it the first time. It will maintain itself after that.

Alternatively you can just write a filter that searches the group for the user DN, instead of the other way around.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • thanks, without being able to modify server settings. how should I write the filter to check if user is in a specific group? – Daniel Jun 23 '13 at 23:28
  • It depends on which object you're using for the group, but the filter is something like `(roleOccupant={0})` for `organizationalRole`, or `(uniqueMember={0})` for `groupOfUniqueNames`, where `{0}` is supplied as the user DN. That will give you all the roles/groups the DN is a member of. If you want to search just a single group, either start the search at that DN or specify the DN in the filter: `(&(dn={0})(roleOccupant={1}))` etc. – user207421 Jun 25 '13 at 02:12
0

Did you have a chance to look at the simple access provider? That's way simpler (pun!) method of restricting access to a certain group. Simply place these into your sssd.conf file:

access_provider = simple
simple_allow_groups = linuxgroup

restart the SSSD and you should be all set. No need to modify anything on the server side. See "man sssd-simple" for more details.

borrible
  • 17,120
  • 7
  • 53
  • 75
jhrozek
  • 59
  • 3