[Access Filter Setup with SSSD] #sssd #centos #active_directory

sssd.conf

[sssd]
config_file_vabcion = 2
debug_level = 0
domains = abc.domain.com
services = nss, pam

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 3
entry_cache_nowait_percentage = 75
debug_level = 8
account_cache_expiration = 1

[pam]
reconnection_retries = 3

###################################################
# `abc.domain.com` Configuration
###################################################

[domain/abc.domain.com]
debug_level = 8
id_provider = ldap
auth_provider = ldap
chpass_provider = krb5

# Setting up filters.
access_provider = ldap
ldap_access_filter = (&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=cn=lab_server_access_group,ou=servergroups,ou=accessmgmnt,dc=abc,dc=domain,dc=com))

# Use below string for multiple groups.
#ldap_access_filter = (|(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=cn=lab_server_access_group,ou=servergroups,ou=accessmgmnt,dc=abc,dc=domain,dc=com))(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=cn=lab_server_access_group_another,ou=servergroups,ou=accessmgmnt,dc=abc,dc=domain,dc=com)))

cache_crlabtials = true
min_id = 1000
ad_server = ad-server-a.abc.domain.com,ad-server-b.abc.domain.com

# If we are using ldaps then we need to use the certificate to connect, or else SSSD will not work.
ldap_uri = ldaps://ldap.abc.domain.com
ldap_tls_cacert = /etc/openldap/cacerts/ssl-cacerts.cer

ldap_schema = ad
krb5_realm = ABC.DOMAIN.COM
krb5_server =  ad-server.abc.domain.com,ad-server-b.abc.domain.com
ldap_id_mapping = true
entry_cache_timeout = 3
ldap_referrals = false
ldap_default_bind_dn = cn=svc-lab-abcldapbind,ou=serviceaccounts,ou=accounts,ou=accessmgmnt,dc=abc,dc=domain,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = 8168127634812638126381
fallback_homedir = /home/%u
ldap_user_home_directory = unixHomeDirectory    
ignore_group_membabc = true

sssd_accessfilter.md

ldap_access_filter (string)

If using access_provider = ldap, this option is mandatory. It specifies an LDAP search filter criteria that must be met for the user to be granted access on this host. If access_provider = ldap and this option is not set, it will result in all users being denied access. Use access_provider = allow to change this default behaviour.

Example:

access_provider = ldap 
ldap_access_filter = memberOf=cn=allowed_user_groups,ou=Groups,dc=example,dc=com 

Prerequisites

yum -y install sssd

Single LDAP Group

Under domain/default in /etc/sssd/sssd.conf add:

access_provider = ldap
ldap_access_filter = memberOf=cn=Group Name,ou=Groups,dc=example,dc=com

Multiple LDAP Groups

Under domain/default in /etc/sssd/sssd.conf add:

access_provider = ldap
ldap_access_filter = (|(memberOf=cn=System Adminstrators,ou=Groups,dc=example,dc=com)(memberOf=cn=Database Users,ou=Groups,dc=example,dc=com))

ldap_access_filter accepts standard LDAP filter syntax.

service sssd restart

Other interesting LDAP filters

See https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

(objectCategory=person)(objectClass=user)(mail=*) - All user objects with a value in the mail field (no contacts)

(!userAccountControl:1.2.840.113556.1.4.803:=2) - Filters out disabled accounts

(!userAccountControl:1.2.840.113556.1.4.803:=65536) - Filters accounts set to PASSWORD NEVE EXPIRES

(!userAccountControl<=600)) - Filters out Exchange Organization Mailboxes

(&(objectCategory=user)(UID=*)) - Unix users

(&(objectCategory=user)(msNPAllowDialin=TRUE)) - Dial-in access