Skip to main content

Access Filter in SSSD `ldap_access_filter` [SSSD Access denied / Permission denied ]

Access Filter Setup with SSSD

ldap_access_filter (string)
If using access_provider = ldap, this option is mandatory. It specifies an LDAP search filter criteria that must be met for the user to be granted access on this host. If access_provider = ldap and this option is not set, it will result in all users being denied access. Use access_provider = allow to change this default behaviour.
Example:
access_provider = ldap 
ldap_access_filter = memberOf=cn=allowed_user_groups,ou=Groups,dc=example,dc=com 

Prerequisites

yum install sssd

Single LDAP Group

Under domain/default in /etc/sssd/sssd.conf add:
access_provider = ldap
ldap_access_filter = memberOf=cn=Group Name,ou=Groups,dc=example,dc=com

Multiple LDAP Groups

Under domain/default in /etc/sssd/sssd.conf add:
access_provider = ldap
ldap_access_filter = (|(memberOf=cn=System Adminstrators,ou=Groups,dc=example,dc=com)(memberOf=cn=Database Users,ou=Groups,dc=example,dc=com))
ldap_access_filter accepts standard LDAP filter syntax.
service sssd restart
Here is the complete SSSD configuration file.
[root@waepprrkb002 ~]# cat /etc/sssd/sssd.conf

###################################################
# SSSD Configuration
###################################################

[sssd]
config_file_vabcion = 2
debug_level = 0
domains = abc.domain.com
services = nss, pam

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 3
entry_cache_nowait_percentage = 75
debug_level = 8
account_cache_expiration = 1

[pam]
reconnection_retries = 3

###################################################
# `abc.domain.com` Configuration
###################################################

[domain/abc.domain.com]
debug_level = 8
id_provider = ldap
auth_provider = ldap
chpass_provider = krb5

# Setting up filters.
access_provider = ldap
ldap_access_filter = (&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=cn=lab_server_access_group,ou=servergroups,ou=accessmgmnt,dc=abc,dc=domain,dc=com))

# Use below string for multiple groups.
#ldap_access_filter = (|(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=cn=lab_server_access_group,ou=servergroups,ou=accessmgmnt,dc=abc,dc=domain,dc=com))(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=cn=lab_server_access_group_another,ou=servergroups,ou=accessmgmnt,dc=abc,dc=domain,dc=com)))

cache_crlabtials = true
min_id = 1000
ad_server = ad-server-a.abc.domain.com,ad-server-b.abc.domain.com

# If we are using ldaps then we need to use the certificate to connect, or else SSSD will not work.
ldap_uri = ldaps://ldap.abc.domain.com
ldap_tls_cacert = /etc/openldap/cacerts/ssl-cacerts.cer

ldap_schema = ad
krb5_realm = ABC.DOMAIN.COM
krb5_server =  ad-server.abc.domain.com,ad-server-b.abc.domain.com
ldap_id_mapping = true
entry_cache_timeout = 3
ldap_referrals = false
ldap_default_bind_dn = cn=svc-lab-abcldapbind,ou=serviceaccounts,ou=accounts,ou=accessmgmnt,dc=abc,dc=domain,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = 8168127634812638126381
fallback_homedir = /home/%u
ldap_user_home_directory = unixHomeDirectory    
ignore_group_membabc = true

More about the sssd Configuration.

Setting up filters.
access_provider = ldap
ldap_access_filter = (&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=cn=lab_server_access_group,ou=servergroups,ou=accessmgmnt,dc=abc,dc=domain,dc=com))
Use below string for multiple groups.
#ldap_access_filter = (|(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=cn=lab_server_access_group,ou=servergroups,ou=accessmgmnt,dc=abc,dc=domain,dc=com))(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=cn=lab_server_access_group_another,ou=servergroups,ou=accessmgmnt,dc=abc,dc=domain,dc=com)))
If we are using ldaps then we need to use the certificate to connect, or else SSSD will not work.
ldap_uri = ldaps://ldap.abc.domain.com
ldap_tls_cacert = /etc/openldap/cacerts/ssl-cacerts.cer

Comments

  1. Troubleshooting PathofBuilding with SSSD's ldap_access_filter can help resolve access denied or permission denied errors effectively

    ReplyDelete

Post a Comment

Popular posts from this blog

Zabbix History Table Clean Up

Zabbix history table gets really big, and if you are in a situation where you want to clean it up. Then we can do so, using the below steps. Stop zabbix server. Take table backup - just in case. Create a temporary table. Update the temporary table with data required, upto a specific date using epoch . Move old table to a different table name. Move updated (new temporary) table to original table which needs to be cleaned-up. Drop the old table. (Optional) Restart Zabbix Since this is not offical procedure, but it has worked for me so use it at your own risk. Here is another post which will help is reducing the size of history tables - http://zabbixzone.com/zabbix/history-and-trends/ Zabbix Version : Zabbix v2.4 Make sure MySql 5.1 is set with InnoDB as innodb_file_per_table=ON Step 1 Stop the Zabbix server sudo service zabbix-server stop Script. echo "------------------------------------------" echo " 1. Stopping Zabbix Server ...

Installing Zabbix Version 2.4 Offline (Zabbix Server without Internet).

There might be situations where you have a remote/zabbix server which does not have internet connectivity, due to security or other reasons. So we create a custom repo on the remote/zabbix server so that we can install zabbix using rpms Here is how we are planning to do this. Download all the dependency rpms on a machine which has internet connection, using yum-downloadonly or repotrack . Transfer all the rpms to the remote server. Create a repo on the remote server. Update yum configuration. Install. NOTE: This method can be used to install any application, but here we have used zabbix as we had this requirement for a zabbix server. Download dependent rpms . On a machine which has internet connection install the package below. And download all the rpms . Make sure the system are similar (not required to be identical - At-least the OS should be of same version) mkdir /zabbix_rpms yum install yum-downloadonly Downloading all the rpms to location /zabbix_rpms/ ,...