Bug 790108

Summary: Support access-control similar to pam_groupdn in LDAP
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED WONTFIX QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-15 14:44:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2012-02-13 16:51:42 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/931

pam_ldap had a feature called {{{pam_groupdn}}}. The behavior of this option was to check whether the DN of the user logging in existed as a member of the {{{pam_member_attribute}}} multi-valued attribue of this group DN.

Our current answer to users attempting to accomplish similar behavior is to recommend that they use the simple access provider with simple_allow_groups to be set. However, this is somewhat limited in that it only allows access based on POSIX groups, where the pam_groupdn feature could use non-POSIX (administrative-only) groups for this evaluation.
Comment 1 RHEL Program Management 2012-02-15 14:44:46 UTC 
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.