Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ldap provider: add nested groups filter (compatibility with ldap_account_expire_policy) #5421

Closed
lazouz opened this issue Nov 30, 2020 · 3 comments

Comments

@lazouz
Copy link

lazouz commented Nov 30, 2020

Hello,

I am facing a kind of a corner-case there, I can't find a solution in docs so I'm asking if adding a feature is possible.
I may have misunderstood something in documentation, or maybe a workaround exists, but I can't find one now, so please tell me if I missed something.

The problems appears because I want to retrieve the user's ssh keys from my ldap directory, AND forbid connection for disabled/locked users (disabled in the ldap), AND only authorize connection for users in particular groups.

To perform the "forbid connection for disabled users" function I use these options :

[domain/mydomain.local]
access_provider = ldap
# get ssh pubkey attribute when querying
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_access_order = expire
ldap_account_expire_policy = <appropriate value depending the ldap>

But as I use the ldap access provider, I can no longer use the simple acces provider that gives the nice group filtering feature :
simple_allow_groups = group1,group2,group3
I have to use the ldap_access_filter attribute to filter the accounts but it doesn't support nested groups, which is a problem because I have nested groups.

Proposed solution :
Adding a ldap_allow_groups attribute on the simple_allow_groups model seems to be the better solution for this (but maybe I'm on the wrong path) ; I know this means adding the group and user filter features in ldap_access as in the simple_access code, but can we consider this as a useful feature ?

@sumit-bose
Copy link
Contributor

Hi,

it looks like you are using Active Directory where you can use filters like e.g.

(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)

to check for nested groups. Please see the ad_access_filter option in man sssd-ad for details (since it is an AD feature it is not mentioned in the general sssd-ldap man page).

HTH

bye,
Sumit

@lazouz
Copy link
Author

lazouz commented Nov 30, 2020

Hi,

If I understand correctly, this workaround works only with an active directory ? How can I do with an openldap directory ?

@andreboscatto
Copy link
Contributor

Dear Contributor/User,

Recognizing the importance of addressing enhancements, bugs, and issues for the SSSD project's quality and reliability, we also need to consider our long-term goals and resource constraints.

After thoughtful consideration, regrettably, we are unable to address this request at this time. To avoid any misconception, we're closing it; however, we encourage continued collaboration and contributions from anyone interested.

We apologize for any inconvenience and appreciate your understanding of our resource limitations. While you're welcome to open a new issue (or reopen this one), immediate attention may not be guaranteed due to competing priorities.

Thank you once again for sharing your feedback. We look forward to ongoing collaboration to deliver the best possible solutions, supporting in any way we can.

Best regards,
André Boscatto

@andreboscatto andreboscatto closed this as not planned Won't fix, can't repro, duplicate, stale Nov 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants