0

I'm trying to learn how PAM, SSSD and nsswitch works. I think these services are so useful although all the documentation over there is a little bit outdated and "esoteric".

So I'm here asking for some help.

This is how I configured my sssd.conf:

[sssd]
config_file_version = 2
services = pam,nss
domains = persefone.com

[pam]

[nss]

[autofs]

[domain/persefone.com]
id_provider = ldap
auth_provider = krb5
ldap_schema = rfc2307bis
enumerate = false
cache_credentials = false
case_sensitive = true
ldap_use_tokengroups = false
ldap_uri = ldap://192.168.10.10
ldap_search_base = dc=persefone,dc=com
ldap_tls_reqcert = allow
krb5_server = 192.168.10.10
krb5_realm = PERSEFONE.COM
access_provider = ldap
ldap_access_filter = (memberOf=cn=Administradores,ou=group,dc=persefone,dc=com)
default_shell = /bin/bash

This is how my nsswitch.conf looks like:

passwd: compat sss
group:  compat sss

hosts:  files dns
networks:       files dns

services:       files
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files nis
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files

I read that PAM is deprecated, but all the information I find is about SSSD working together with PAM. I think there are a lot of things I don't understand about this. I will continue trying to learn. If you know about some good sources to learn about PAM, SSSD, NSSWITCH and these services with maybe some exercises, recommendations are welcome. Man pages are already read (and not understood so much...)

Thank you. Regards.

DRI
  • 23
  • 4

1 Answers1

1

You can use this config item:

[domain/skmf.com]
simple_allow_groups = Administradores, linux_admins

You can use values from sssd-simple(5) which includes this simple_allow_groups. That is how my environment limits access to the groups.

You will want to ensure that you also allow that group in sshd_config. This list is space delimited, so for groups with spaces in names, you might need to experiment so avoid them, or escape a space in a group name with a backslash .

AllowGroups Administradores linux_admins
bgStack15
  • 911
  • 1
  • 9
  • 23
  • Hello, Thank you so much for your reply. I achieved to limit access to the environment using the sshd_config. Also, I noticed that if I add to the sssd_config: access_provider = ldap Then nobody is able to local or remote authentication to the system. If I add to the sssd_config: access_provider = simple Then I can restrict the local authentication with: AllowGroups Administradores linux_admins Why to use simple access_provider while ldap acces_provider exists? and Why to use AllowGroups while ldap_access_filter exists? – DRI Dec 04 '19 at 06:28
  • You can mix and match the `_provider` attributes. You can read the sssd-ldap man page to learn what access_provider=ldap means. I use `access_provider=simple` with `id_provider=ad` (which sets up a bunch of the ldap attributes a particular way). – bgStack15 Dec 04 '19 at 15:46
  • Hey, thank you so much for the reply. As I said I already read all the man pages... and all the information and exercises are welcome. I finally understood (more or less...) what access and id provider means doing some exercises of sudoers replication by LDAP. – DRI Dec 05 '19 at 06:20