I have servers based on RHEL 7 and 8. RHEL 7 serevers use nslcd to work with a LDAP server, RHEL 8 use SSSD.
For RHEL 7 I can provide access for users to allowed hosts only. This functions is covered by the option in the nslcd.conf:
pam_authz_search (&(objectClass=posixAccount)(uid=$uid)(|(host=$hostname.\*)(host=\\*)))
I use the option "host=$hostname.\* " for regular users who have list of allowed servers, "host=\\*" is used for admins who have * for the ldap host attribute.
SSSD has the option ldap_access_filter and with next sttings:
ldap_access_filter = (objectClass=posixAccount)
All users can log in to all RHEL 8 machine, what I want to avoid.
Is it possible to add host options to the ldap_access_filter as I have in the nslcd.conf on the old servers?
Thank you in advance.
UPD:
ldap_access_filter = (&(objectClass=posixAccount)(host=\*))
works for admins with * in the ldapsearch host attributes:
~$ ldapsearch -LLL -Q -Z uid=admin-user host
dn: uid=admin-user,ou=People,dc=my,dc=domain,dc=net
host: *
Also I can specify the server name directly:
ldap_access_filter = (&(objectClass=posixAccount)(host=servername.example.lan))
and it also works for users which have this server in the list:
~$ ldapsearch -LLL -Q -Z uid=a-testuser host
dn: uid=a-testuser,ou=People,dc=my,dc=domain,dc=net
host: servername.example.lan
But how can I use variables or special characters like * or \*?
0 Answers