[ale] access.conf syntax on CentOS 8

Jim Kinney jim.kinney at gmail.com
Wed Jun 10 07:13:43 EDT 2020 

Make your life much easier. Use FreeIPA. It takes all the pieces and puts them together in a cohesive manner. It provides a web gui to abstract across multiple levels of complicated security protocols.

With this toolchain you can allow local root login, specific groups can login with LDAP backed credentials. You can allow specific users or groups tightly controlled sudu capability from specific commands on specific machines to full sudu across groups of machines.

On June 9, 2020 11:48:44 PM EDT, "Beddingfield, Allen via Ale" <ale at ale.org> wrote:
>I have never really put much thought into my LDAP client configuration.
>I finally, begrudgingly switched to using SSSD around CentOS 7/SLES 12.
>I've been just putting sssd.conf on the system, and on CentOS manually
>pushing some files in /etc/pam.d and an nsswitch file with config
>management software (on SLES I use the "pam-config" utility).
>My nsswitch config was using "compat" so that I tacked the netgroups
>onto the end of passwd as always.
>Well, I've noticed that with CentOS 8, I can just drop sssd.conf onto
>the server, restart sssd and do "authselect select sssd with-mkhomedir"
>and everything works - except for netgroups on the end of passwd.  They
>are ignored, and ALL LDAP users can log in.
>I know I can create a custom authselect profile to put compat in
>nsswitch, but I thought it would be a good opportunity to "do it the
>modern way", so I started looking into access.conf.
>I see how to do all the examples in the man page and the config file,
>but they don't match my exact need, and I'm not sure if the combination
>I need is possible.
>
>Here is what I want to do:
>Allow root to log in from anywhere
>Allow all LOCAL users to log in from anywhere
>Allow members of LDAP Netgroup "linuxadmin" to log in from anywhere.
>Deny all other LDAP members that the bind user can see.
>
>The examples I'm seeing are of explicitly listing root, local users by
>name, and the netgroup.  Is there some wildcard to use for "all local
>users"?  We have a lot of systems where the end users are logging in
>with local credentials, and we use LDAP for admin users - so there is
>no consistent list of local accounts.
>In the past, I've just put "+ at linuxadmin::::::" at the end of
>/etc/passwd and accomplished this.  
>Obviously if I don't either configure compat in nsswitch or
>access.conf, any user the LDAP bind account can see will be able to log
>in, and that is NOT what I want to happen.
>
>Any thoughts?
>Thanks.
>Allen B.
>--
>Allen Beddingfield
>Systems Engineer
>Office of Information Technology
>The University of Alabama
>Office 205-348-2251
>allen at ua.edu
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>https://mail.ale.org/mailman/listinfo/ale
>See JOBS, ANNOUNCE and SCHOOLS lists at
>http://mail.ale.org/mailman/listinfo

-- 
"no government by experts in which the masses do not have the chance to inform the experts as to their needs can be anything but an oligarchy managed in the interests of the few.” - John Dewey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20200610/2a5fb6b2/attachment.html>

More information about the Ale mailing list