30.5. Configuring Access Control for SSSD Domains


SSSD provides a rudimentary access control for domain configuration, allowing either simple user allow/deny lists or using the LDAP backend itself.

30.5.1. Using the Simple Access Provider

The Simple Access Provider allows or denies access based on a list of usernames or groups.
The Simple Access Provider is a way to restrict access to certain, specific machines. For example, if a company uses laptops, the Simple Access Provider can be used to restrict access to only a specific user or a specific group, even if a different user authenticated successfully against the same authentication provider.
The most common options are simple_allow_users and simple_allow_groups, which grant access explicitly to specific users (either the given users or group members) and deny access to everyone else. It is also possible to create deny lists (which deny access only to explicit people and implicitly allow everyone else access).
The Simple Access Provider adheres to the following four rules to determine which users should or should not be granted access:
  • If both the allow and deny lists are empty, access is granted.
  • If any list is provided, allow rules are evaluated first, and then deny rules. Practically, this means that deny rules supersede allow rules.
  • If an allowed list is provided, then all users are denied access unless they are in the list.
  • If only deny lists are provided, then all users are allowed access unless they are in the list.
This example grants access to two users and anyone who belongs to the IT group; implicitly, all other users are denied.
[domain/example.com]
access_provider = simple
simple_allow_users = jsmith,bjensen
simple_allow_groups = itgroup

Note

The LOCAL domain in SSSD does not support simple as an access provider.
Other options are listed in the sssd-simple man page, but these are rarely used.
Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.