5.6. Configuring SSSD to Apply an LDAP Access Filter
When the access_provider
option is set in /etc/sssd/sssd.conf
, SSSD uses the specified access provider to evaluate which users are granted access to the system. If the access provider you are using is an extension of the LDAP provider type, you can also specify an LDAP access control filter that a user must match to be allowed access to the system.
For example, when using the Active Directory (AD) server as the access provider, you can restrict access to the Linux system only to specified AD users. All other users that do not match the specified filter have access denied.
The access filter is applied on the LDAP user entry only. Therefore, using this type of access control on nested groups might not work. To apply access control on nested groups, see Configuring simple
Access Provider Rules.
When using offline caching, SSSD checks if the user’s most recent online login attempt was successful. Users who logged in successfully during the most recent online login will still be able to log in offline, even if they do not match the access filter.
Conditions préalables
-
root
access
Procédure
-
Open the
/etc/sssd/sssd.conf
file. In the
[domain]
section, specify the LDAP access control filter.-
For an LDAP access provider, use the
ldap_access_filter
option. See thesssd-ldap(5)
man page for details. For an AD access provider, use the
ad_access_filter
option. See thesssd-ad(5)
man page for details.Exemple 5.4. Allowing access to specific AD users
For example, to allow access only to AD users who belong to the
admins
user group and have aunixHomeDirectory
attribute set, use:[domain/your-AD-domain-name] access provider = ad [... file truncated ...] ad_access_filter = (&(memberOf=cn=admins,ou=groups,dc=example,dc=com)(unixHomeDirectory=*))
-
For an LDAP access provider, use the
SSSD can also check results by the authorizedService
or host
attribute in an entry. In fact, all options MDASH LDAP filter, authorizedService
, and host
MDASH can be evaluated, depending on the user entry and the configuration. The ldap_access_order
parameter lists all access control methods to use, ordered as how they should be evaluated.
[domain/example.com] access_provider = ldap ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com ldap_access_order = filter, host, authorized_service
Ressources supplémentaires
-
The
sssd-ldap(5)
man page