[prev in list] [next in list] [prev in thread] [next in thread]
List: sssd-users
Subject: =?utf-8?q?=5BSSSD-users=5D?= ad_access_filter question
From: "Conwell, Nik" <nik () bu ! edu>
Date: 2017-11-22 19:56:57
Message-ID: B4D180EF-3AC2-4745-9B57-BE88AC7E2436 () contoso ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hi all, I'm jumping in to using sssd-ad here at BU. I'm able to domain join a \
CentOS7 and pull our AD entries successfully but am having troubles with \
ad_access_filter to restrict access to a group.
Due to FERPA restrictions here, we can't query memberOf for random people via a \
machine account, so things like:
ad_access_filter = (memberOf=CN=group-of-admins,OU=XYZ,DC=blah,DC=blah,DC=blah)
won't work. I see from debug level 7 that this translates into a query like:
(&(sAMAccountName=nik)(objectclass=user)(memberOf=CN=group-of-admins,OU=Groups,OU=XYZ,DC=blah,DC=blah,DC=blah))
I've verified independently with ldapsearch that if I do this under the machine \
account, I don't get anything back. Note that if this query was done in the context \
of the user just logging in ("nik") then it would work since I have the privs to see \
my own memberOf. But, I think (I guess) that the query is being done by SSSD-AD as \
the machine account.
I've also played around with doing a filter like \
"(&(objectCategory=group)(CN=group-of-admins))" which does actually return a list of \
"member:" entries for an ldapsearch when using the machine account privs. However, \
if I plug this into ad_access_filter, it's not allowing access I think because of the \
(&sAMAccountName=…) being a query of a user object whereas the group query is a \
group object and the filter isn't being satisfied. From looking at the code I think \
it's not designed to handle being returned an object which has a list of "member:" \
entries and looking for the user in that list. SMOP I guess :)
So, misc blathering aside, does anybody have any suggestions on how I should go about \
restricting access to groups in cases where machine accounts aren't allowed access to \
the memberOf information for users? Is there a way to get it via a group filter, or \
should/could the memberOf query be done under the context and privs of the user \
accessing it? (I guess that would have implications on caching though…)
Any ideas or suggestions which direction I should go with this? Thanks in advance.
Nik Conwell
Boston University
nik@bu.edu<mailto:nik@bu.edu>
[Attachment #3 (text/html)]
<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hi all, I'm jumping in to using \
sssd-ad here at BU. I'm able to domain join a CentOS7 and pull our AD entries \
successfully but am having troubles with ad_access_filter to restrict access to a \
group.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt">Due to FERPA restrictions here, we can't query memberOf for \
random people via a machine account, so things like:<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt">ad_access_filter = \
(memberOf=CN=group-of-admins,OU=XYZ,DC=blah,DC=blah,DC=blah)<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt">won't work. I see from debug \
level 7 that this translates into a query like:<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:11.0pt">(&(sAMAccountName=nik)(objectclass=user)(memberOf=CN=group-of-admins,OU=Groups,OU=XYZ,DC=blah,DC=blah,DC=blah))<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I've verified independently with \
ldapsearch that if I do this under the machine account, I don't get anything \
back. Note that if this query was done in the context of the user just logging \
in ("nik") then it would work since I have the privs to see my own \
memberOf. But, I think (I guess) that the query is being done by SSSD-AD as the \
machine account.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt">I've also played around with doing a filter like \
"(&(objectCategory=group)(CN=group-of-admins))" which does actually \
return a list of "member:" entries for an ldapsearch when using the machine \
account privs. However, if I plug this into ad_access_filter, it's not \
allowing access I think because of the (&sAMAccountName=…) being a query of a \
user object whereas the group query is a group object and the filter isn't being \
satisfied. From looking at the code I think it's not designed to handle being \
returned an object which has a list of "member:" entries and looking for \
the user in that list. SMOP I guess :)<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt">So, misc blathering aside, does \
anybody have any suggestions on how I should go about restricting access to groups in \
cases where machine accounts aren't allowed access to the memberOf information for \
users? Is there a way to get it via a group filter, or should/could the \
memberOf query be done under the context and privs of the user accessing it? (I \
guess that would have implications on caching though…)<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt">Any ideas or suggestions which \
direction I should go with this? Thanks in advance.<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt">Nik Conwell<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt">Boston \
University<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt"><a \
href="mailto:nik@bu.edu">nik@bu.edu</a><o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p> </div>
</body>
</html>
[Attachment #4 (unknown)]
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic