10.2.5. Configuring Access Control for SSSD Domains
SSSD provides a rudimentary access control for domain configuration, allowing either simple user allow/deny lists or using the LDAP backend itself.
10.2.5.1. Using the Simple Access Provider
The Simple Access Provider allows or denies access based on a list of usernames or groups.
The Simple Access Provider is a way to restrict access to certain, specific machines. For example, if a company uses laptops, the Simple Access Provider can be used to restrict access to only a specific user or a specific group, even if a different user authenticated successfully against the same authentication provider.
The most common options are simple_allow_users and simple_allow_groups, which grant access explicitly to specific users (either the given users or group members) and deny access to everyone else. It is also possible to create deny lists (which deny access only to explicit people and implicitly allow everyone else access).
The Simple Access Provider adheres to the following three rules to determine which users should or should not be granted access:
If both the allow and deny lists are empty, access is granted.
If simple_allow_users|groups is set, only users from this list are allowed access. This setting supersedes the simple_deny_users list.
If the simple_allow_users|groups list is empty, users are allowed access unless they appear in the simple_deny_users list.
Defining both simple_allow_users|groups and simple_deny_users|groups is a configuration error. If this occurs, SSSD will output an error to the /var/log/sssd/sssd_default.log log file when loading the backend, but continue to start normally.
For example, this grants access to two users and anyone who belongs to the IT group; implicitly, all other users are denied.
[domain/example.com]
access_provider = simple
simple_allow_users = jsmith,bjensen
simple_allow_groups = itgroup
The LOCAL domain in SSSD does not support simple as an access provider.
Other options are listed in the sssd-simple man page, but these are rarely used.
10.2.5.2. Using the LDAP Access Provider
The LDAP server itself can provide the access control rules. The associated filter option (ldap_access_filter) specifies which users are granted access to the specified host. The user filter must be used or all users are denied access.
For example:
[domain/example.com]
access_provider = ldap
ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
Offline caching for LDAP access providers is limited to determining whether the user's last online login attempt was successful. Users that were granted access during their last login will continue to be granted access while offline.
