Discussion:
[Freeipa-users] Freeipa and limiting access by group (memberOf)
Janet Houser
2017-05-16 13:56:38 UTC
Permalink
Hi Folks,

Last week I deployed freeipa on a CentOS7 VM. The installation went
very smoothly using:

yum install ipa-server

and

ipa-server-install


My issue is with connecting a CentOS 7 client. On my client, I yum
installed ipa-client and ipa-admintools.
I than ran "ipa-client-install" and answered the setup questions (very
easy and smooth).

The "getent passwd" command didn't return any users, but the "getent
passwd jdoe" does give the information
for the user. I found in the archives that I can set "enumerate=True"
so I get a complete user listing. That
seems to be working, and I was able to login with the account "jdoe"
(brilliant!).

Problem 1:
========

I created a user group on the ipa server with the following attributes:

name = xyx, gid = 1000

I changed the user "jdoe" to have gid = 1000, but when I ssh into the
ipa client, I get the following message after
logging in:

/usr/bin/id: cannot find name for group ID 1000

A "getent group" command does list the group: xyz:*:1000:

A "groups" command issued by the user shows: xyz

files created by the user show the correct ownership and group.

Problem 2:
=======

I've been looking through the freeipa groups and literature and I can't
figure out how to limit user login access to
an ipa client by a memberOf group.

When I was using CentOS 6 and 7 I could use the nslcd.conf file to put
in a group filter like:

passwd
(&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu))


I tried changing the access_provider to simple and using the
"simply_allow_groups = test", but that didn't work.
However, using "access_provider = ipa" and "filter_users" did allow me
to filter out a user from the "getent passwd" command.

I tried changing the access_provider to ldap and using the filter
"ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu
but that failed too.


I'd appreciate any suggestions

Thanks,

- signed an "ipa newbie"
Jakub Hrozek
2017-05-17 15:22:59 UTC
Permalink
Post by Janet Houser
Hi Folks,
Last week I deployed freeipa on a CentOS7 VM. The installation went very
yum install ipa-server
and
ipa-server-install
My issue is with connecting a CentOS 7 client. On my client, I yum
installed ipa-client and ipa-admintools.
I than ran "ipa-client-install" and answered the setup questions (very
easy and smooth).
The "getent passwd" command didn't return any users, but the "getent passwd
jdoe" does give the information
for the user. I found in the archives that I can set "enumerate=True" so I
get a complete user listing. That
seems to be working, and I was able to login with the account "jdoe"
(brilliant!).
I would discourage enumeration especially if you're planning on a large
domain. The performance right now is not great. Moreover, the way the
trusted accounts are retrieved doesn't support enumeration at all
either.
Post by Janet Houser
========
name = xyx, gid = 1000
I changed the user "jdoe" to have gid = 1000, but when I ssh into the ipa
client, I get the following message after
/usr/bin/id: cannot find name for group ID 1000
A "groups" command issued by the user shows: xyz
files created by the user show the correct ownership and group.
I would first try to remove the sssd caches because uid/gid renumbering
doesn't work great. If that doesn't help, please check the sssd logs.

By the way, 1000 is quite low and would most probably clash with local
accounts. I would strongly suggest to stick to ID numbers within the
configured ID range (ipa idrange-find)
Post by Janet Houser
=======
I've been looking through the freeipa groups and literature and I can't
figure out how to limit user login access to
an ipa client by a memberOf group.
When I was using CentOS 6 and 7 I could use the nslcd.conf file to put in a
passwd (&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu))
I tried changing the access_provider to simple and using the
"simply_allow_groups = test", but that didn't work.
However, using "access_provider = ipa" and "filter_users" did allow me to
filter out a user from the "getent passwd" command.
I tried changing the access_provider to ldap and using the filter
"ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu
but that failed too.
Please check out "ipa help hbac"
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Jakub Hrozek
2017-05-18 18:19:52 UTC
Permalink
Post by Jakub Hrozek
Post by Janet Houser
Hi Folks,
Last week I deployed freeipa on a CentOS7 VM. The installation went very
yum install ipa-server
and
ipa-server-install
My issue is with connecting a CentOS 7 client. On my client, I yum
installed ipa-client and ipa-admintools.
I than ran "ipa-client-install" and answered the setup questions (very
easy and smooth).
The "getent passwd" command didn't return any users, but the "getent passwd
jdoe" does give the information
for the user. I found in the archives that I can set "enumerate=True" so I
get a complete user listing. That
seems to be working, and I was able to login with the account "jdoe"
(brilliant!).
I would discourage enumeration especially if you're planning on a large
domain. The performance right now is not great. Moreover, the way the
trusted accounts are retrieved doesn't support enumeration at all
either.
Copy that. Enumeration is set to true just for testing. It will be
disabled later.
Post by Jakub Hrozek
Post by Janet Houser
========
name = xyx, gid = 1000
I changed the user "jdoe" to have gid = 1000, but when I ssh into the ipa
client, I get the following message after
/usr/bin/id: cannot find name for group ID 1000
A "groups" command issued by the user shows: xyz
files created by the user show the correct ownership and group.
I would first try to remove the sssd caches because uid/gid renumbering
doesn't work great. If that doesn't help, please check the sssd logs.
Didn't work, and the logs aren't really being helpful, but I'll dig further.
Feel free to paste some sanitized snippet here..
Post by Jakub Hrozek
By the way, 1000 is quite low and would most probably clash with local
accounts. I would strongly suggest to stick to ID numbers within the
configured ID range (ipa idrange-find)
Post by Janet Houser
=======
I've been looking through the freeipa groups and literature and I can't
figure out how to limit user login access to
an ipa client by a memberOf group.
When I was using CentOS 6 and 7 I could use the nslcd.conf file to put in a
passwd (&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu))
I tried changing the access_provider to simple and using the
"simply_allow_groups = test", but that didn't work.
However, using "access_provider = ipa" and "filter_users" did allow me to
filter out a user from the "getent passwd" command.
I tried changing the access_provider to ldap and using the filter
"ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu
but that failed too.
Please check out "ipa help hbac"
I just realized hbac is host based access control. I can't really use this
since I need to restrict certain users
to resources. Since freeipa is based on directory server 389, I'm assuming
it can do group / memberOf filtering.
What are the resources we're talking about here?
Any suggestions would be appreciated.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...