13.2.22. Creating Domains: Access Control
Using the Simple Access Provider
simple_allow_groups, which grant access explicitly to specific users (either the given users or group members) and deny access to everyone else. It is also possible to create deny lists (which deny access only to explicit people and implicitly allow everyone else access).
- If both the allow and deny lists are empty, access is granted.
- If any list is provided, allow rules are evaluated first, and then deny rules. Practically, this means that deny rules supersede allow rules.
- If an allowed list is provided, then all users are denied access unless they are in the list.
- If only deny lists are provided, then all users are allowed access unless they are in the list.
[domain/example.com] access_provider = simple simple_allow_users = jsmith,bjensen simple_allow_groups = itgroup
simpleas an access provider.
sssd-simpleman page, but these are rarely used.
Using the Access Filters
ldap_access_filterfor LDAP and IdM and
ad_access_filterfor AD) specify which users are granted access to the specified host. The user filter must be used or all users are denied access. See the examples below:
[domain/example.com] access_provider = ldap ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
[domain/example.com] access_provider = ad ad_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
hostattribute in an entry. In fact, all options — LDAP filter,
host— can be evaluated, depending on the user entry and the configuration. The
ldap_access_orderparameter lists all access control methods to use, in order of how they should be evaluated.
[domain/example.com] access_provider = ldap ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com ldap_access_order = filter, host, authorized_service