RHEL OS Access Control: Status of pam_access.so v. SSSD filter/search?

Posted on

I'm trying to 'future proof' our unified, RHEL OS-level Access Controls (e.g., SSH, GDM, etc...) for RHEL9+, in addition to RHEL7/8 (even RHEL6 ELS).

LEGACY (deprecated?): pam_access.so

In the past, I've leveraged PAM, specifically pam_access.so, where I could include local and network user, groups, even netgroups (LDAP, or stored in AD-LDAP), even if the NSS references were wholly provided by SSSD (sssd.conf domain stanzas) via LDAP, AD-LDAP (LDAP id provider, with KRB5 auth provider for AD MS-KRB5) as well as the native AD provider.

That way we have an universal, default access control for all services. If any other service needs their own, then we can always create a separate /etc/pam.d/ file for that service, and include as appropriate.

Does anyone know if this is deprecated in RHEL8? Or will be in RHEL9?

FUTURE (exclusive?): sssd.conf

I've also done some filter/search limitations with the built-in SSSD stanzas from LDAP search and filters, and I understand the AD provider also has an group access filter as well. I also know others use the 'simple' filter as well.

I'm kinda curious what the Best Common Practice (BCP) is for this, and something that is semi-common among different providers, as well as local users.