PDA

View Full Version : SLES 12 restrict sssd pam by LDAP group



swadm
25-Nov-2015, 14:04
SLES12 has changed the LDAP client integration a lot, as we can read in https://forums.suse.com/showthread.php?5793-SLE-12-and-LDAP-Authentication.

We have a SLES11 system that restricts access by LDAP group through an pam_groupdn definition in /etc/ldap.conf.

/etc/ldap.conf is not present in SLES12, and I wonder how we can implement LDAP group restrictions with sssd.

I tried the following in the domain definition of /etc/sssd/sssd.conf


[pam] |
[domain/mydomain]
ldap_access_filter = memberOf=cn=...


Unfortunately, this filter does not seem to be effective.

The filter_groups statement in the [nss] section only allows to exclude groups to my knowledge, we are looking for a way to include / permit only a few groups.

Regards, Thomas

jmozdzen
27-Nov-2015, 13:26
Hi Thomas,

> ldap_access_filter = memberOf=cn=...
> Unfortunately, this filter does not seem to be effective.

does your LDAP server support "memberOf"? If you're running OpenLDAP, you need the according overlay active and need to have all group memberships updated for the users in question: "The memberof overlay updates an attribute (by default memberOf) whenever changes occur to the membership attribute (by default member) of entries of the objectclass (by default groupOfNames) configured to trigger updates."

Also, you'll have to have "access_provider = ldap" active in your [domain/ldap] section.

Regards,
Jens

swadm
17-Dec-2015, 10:53
Hi Thomas,

> ldap_access_filter = memberOf=cn=...
> Unfortunately, this filter does not seem to be effective.

does your LDAP server support "memberOf"? If you're running OpenLDAP, you need the according overlay active and need to have all group memberships updated for the users in question: "The memberof overlay updates an attribute (by default memberOf) whenever changes occur to the membership attribute (by default member) of entries of the objectclass (by default groupOfNames) configured to trigger updates."

Also, you'll have to have "access_provider = ldap" active in your [domain/ldap] section.

Regards,
Jens

Jens, thanks for this hint.

Seems we are stuck, as we use posixgroup, and that does not seem to work (http://www.openldap.org/lists/openldap-technical/200909/msg00188.html) with memberof overlay.

Do you have other information?

Thanks, Thomas

jmozdzen
17-Dec-2015, 13:02
Hi Thomas,

while I have absolutely no information on the current implementation status - have you actually tried to use it and received that error response, or are you judging only by that 6 years old message? ;)

Regards,
Jens

swadm
17-Dec-2015, 14:04
Jens, yes I tried it. and was unable to start the OpenLDAP daemon at all:


myhost:/etc/openldap # tail -3 slapd.conf
overlay memberof
memberof-group-oc posixgroup
memberof-member-ad memberUid
myhost:/etc/openldap # service ldap restart
Shutting down ldap-server..done
Starting ldap-serverstartproc: exit status of parent of /usr/lib/openldap/slapd: 1
..failed
myhost:/etc/openldap # tail /var/log/localmessages
Dec 17 14:03:20 myhost slapd[8822]: ==> ppolicy_cf_default
Dec 17 14:03:20 myhost slapd[8822]: ==> ppolicy_cf_default add
Dec 17 14:03:20 myhost slapd[8822]: line 212 (ppolicy_hash_cleartext)
Dec 17 14:03:20 myhost slapd[8822]: line 216 (overlay memberof)
Dec 17 14:03:20 myhost slapd[8822]: line 217 (memberof-group-oc posixgroup)
Dec 17 14:03:20 myhost slapd[8822]: line 218 (memberof-member-ad memberUid)
Dec 17 14:03:20 myhost slapd[8822]: /etc/openldap/slapd.conf: line 218: member attribute="memberUid" must either have DN (1.3.6.1.4.1.1466.115.121.1.12) or nameUID (1.3.6.1.4.1.1466.115.121.1.34) syntax.
Dec 17 14:03:20 myhost slapd[8822]: slapd destroy: freeing system resources.
Dec 17 14:03:20 myhost slapd[8822]: slapd stopped.
Dec 17 14:03:20 myhost slapd[8822]: connections_destroy: nothing to destroy.
myhost:/etc/openldap #

jmozdzen
17-Dec-2015, 14:18
Hi Thomas,

> member attribute="memberUid" must either have DN (1.3.6.1.4.1.1466.115.121.1.12) or nameUID (1.3.6.1.4.1.1466.115.121.1.34) syntax.

so unfortunately nothing has changed in all those years :(

Seems you're out of luck, but if by chance you happen to find some solution to this, I'd really be interested to learn about it!

Regards,
Jens

hangarbait
16-Jun-2016, 02:56
Thomas,
I don't have an openLDAP instance accessible at the moment to test against but perhaps try this:

Use the ldapsearch utility (part of the openldap-clients package) and search for one of your users needing access using an admin user with all rights to get the full set of attributes and values returned.

Determine which attribute will work in your case (member, memberOf, posixGroup, groupOfNames, etc) and implement the LDAP access provider using the selected attribute:

access_provider = ldap
ldap_access_filter = <SELECTED_ATTRIBUTE>=cn=<GROUP_NAME>,ou=LDAP,dc=dvc,dc=darkvixen,dc=com

The LDAP dn is an example obviously.


-- lawrence