You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am facing a kind of a corner-case there, I can't find a solution in docs so I'm asking if adding a feature is possible.
I may have misunderstood something in documentation, or maybe a workaround exists, but I can't find one now, so please tell me if I missed something.
The problems appears because I want to retrieve the user's ssh keys from my ldap directory, AND forbid connection for disabled/locked users (disabled in the ldap), AND only authorize connection for users in particular groups.
To perform the "forbid connection for disabled users" function I use these options :
[domain/mydomain.local]
access_provider = ldap
# get ssh pubkey attribute when querying
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_access_order = expire
ldap_account_expire_policy = <appropriate value depending the ldap>
But as I use the ldap access provider, I can no longer use the simple acces provider that gives the nice group filtering feature : simple_allow_groups = group1,group2,group3
I have to use the ldap_access_filter attribute to filter the accounts but it doesn't support nested groups, which is a problem because I have nested groups.
Proposed solution :
Adding a ldap_allow_groups attribute on the simple_allow_groups model seems to be the better solution for this (but maybe I'm on the wrong path) ; I know this means adding the group and user filter features in ldap_access as in the simple_access code, but can we consider this as a useful feature ?
The text was updated successfully, but these errors were encountered:
to check for nested groups. Please see the ad_access_filter option in man sssd-ad for details (since it is an AD feature it is not mentioned in the general sssd-ldap man page).
Recognizing the importance of addressing enhancements, bugs, and issues for the SSSD project's quality and reliability, we also need to consider our long-term goals and resource constraints.
After thoughtful consideration, regrettably, we are unable to address this request at this time. To avoid any misconception, we're closing it; however, we encourage continued collaboration and contributions from anyone interested.
We apologize for any inconvenience and appreciate your understanding of our resource limitations. While you're welcome to open a new issue (or reopen this one), immediate attention may not be guaranteed due to competing priorities.
Thank you once again for sharing your feedback. We look forward to ongoing collaboration to deliver the best possible solutions, supporting in any way we can.
Hello,
I am facing a kind of a corner-case there, I can't find a solution in docs so I'm asking if adding a feature is possible.
I may have misunderstood something in documentation, or maybe a workaround exists, but I can't find one now, so please tell me if I missed something.
The problems appears because I want to retrieve the user's ssh keys from my ldap directory, AND forbid connection for disabled/locked users (disabled in the ldap), AND only authorize connection for users in particular groups.
To perform the "forbid connection for disabled users" function I use these options :
But as I use the
ldap
access provider, I can no longer use thesimple
acces provider that gives the nice group filtering feature :simple_allow_groups = group1,group2,group3
I have to use the
ldap_access_filter
attribute to filter the accounts but it doesn't support nested groups, which is a problem because I have nested groups.Proposed solution :
Adding a
ldap_allow_groups
attribute on thesimple_allow_groups
model seems to be the better solution for this (but maybe I'm on the wrong path) ; I know this means adding the group and user filter features in ldap_access as in the simple_access code, but can we consider this as a useful feature ?The text was updated successfully, but these errors were encountered: