[ale] access.conf syntax on CentOS 8

Beddingfield, Allen allen at ua.edu
Tue Jun 9 23:48:44 EDT 2020 

I have never really put much thought into my LDAP client configuration.  I finally, begrudgingly switched to using SSSD around CentOS 7/SLES 12.  I've been just putting sssd.conf on the system, and on CentOS manually pushing some files in /etc/pam.d and an nsswitch file with config management software (on SLES I use the "pam-config" utility).
My nsswitch config was using "compat" so that I tacked the netgroups onto the end of passwd as always.
Well, I've noticed that with CentOS 8, I can just drop sssd.conf onto the server, restart sssd and do "authselect select sssd with-mkhomedir" and everything works - except for netgroups on the end of passwd.  They are ignored, and ALL LDAP users can log in.
I know I can create a custom authselect profile to put compat in nsswitch, but I thought it would be a good opportunity to "do it the modern way", so I started looking into access.conf.
I see how to do all the examples in the man page and the config file, but they don't match my exact need, and I'm not sure if the combination I need is possible.

Here is what I want to do:
Allow root to log in from anywhere
Allow all LOCAL users to log in from anywhere
Allow members of LDAP Netgroup "linuxadmin" to log in from anywhere.
Deny all other LDAP members that the bind user can see.

The examples I'm seeing are of explicitly listing root, local users by name, and the netgroup.  Is there some wildcard to use for "all local users"?  We have a lot of systems where the end users are logging in with local credentials, and we use LDAP for admin users - so there is no consistent list of local accounts.
In the past, I've just put "+ at linuxadmin::::::" at the end of /etc/passwd and accomplished this.  
Obviously if I don't either configure compat in nsswitch or access.conf, any user the LDAP bind account can see will be able to log in, and that is NOT what I want to happen.

Any thoughts?
Thanks.
Allen B.
--
Allen Beddingfield
Systems Engineer
Office of Information Technology
The University of Alabama
Office 205-348-2251
allen at ua.edu

More information about the Ale mailing list