Hello, I have a new instance of FreeIPA installed (version:4.12.2) on an AlmaLinux 9.4 server.
I have created several test users (uidNumber,gidNumber) using posix groups I created. I also created a non-posix group I'd like to use as a "restricted" group for login access. I have managed to get this to work using HBAC rules. Unfortunately, when I issue the "getent passwd" command it shows all the users, not just the ones with login access. In the past, I used sssd.conf (or nslcd.conf) to limit access and only users listed in the "memberOf" group would show when the getent command was issued. I've been trying (very unsuccessfully) to get this to work with my FreeIPA server. I've tried changing the access_provider = ldap but the ldap_access_filter doesn't seem to work. The sssd.conf file I'm hacking on looks like the following: [domain/domain.com] ipa_uri = ldaps://freeipa.domain.com:636 enumerate = True cache_credentials = False krb5_store_password_if_offline = True ipa_domain = domain.com id_provider = ipa auth_provider = ipa #--- #access_provider = ipa access_provider = ldap #--- ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ldap-test.domain.com chpass_provider = ipa ipa_server = _srv_, freeipa.domain.com ldap_schema=rfc2307bis ldap_access_order = filter ldap_access_filter = (memberOf=cn=test,cn=groups,cn=accounts,dc=domain,dc=com) ldap_group_search_base = cn=test,cn=groups,cn=accounts,dc=domain,dc=com I've also tried As a test to see if I could limit access to one user ldap_access_filter = (|(gidNumber=600)(gidNumber=902)) ldap_access_filter = (uid=2000) I'm basically just trying to get some kind of restriction using a group filter to try to understand what I need in the sssd.conf file so that getent will only show authorized users. Is this something that can be set on the server side rather than the client side? I just can't seem to get the correct syntax. I've tried using access_provider = simple but the "simple_allow_groups" doesn't seem to restrict the getent list either. Any pointers would be appreciated. Thanks,
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
