Linux / AD integration with SSSD: how to choose what systems a user can log into

active-directorylinuxsssd

We are trying out ActiveDirectory integration on some linux systems with SSSD.

So far so good we joined the linux systems to the domain and we can log into linux systems with AD-defined users. Right now every AD user can log into every Linux system which has been integrated with SSSD.

How can I let user Foo log into LinuxServer01 but prevent him to log into LinuxServer02?
And/or how can I block a user to log into every linux systems and just let him on some specific ones?

Best Answer

I would recommend against using the filter based access control filters for most deployments for two reasons:

  • they are hard to get right
  • the filters are applied on the user entry that is logging in. This might have interesting consequences especially if the filter contains a memberof attribute while the user is a member of nested groups - since the user entry only contains memberofs to direct parents, the nested groups would never match.

For very simple use cases, such as allowing a user or a group of users, I would recommend to use the simple access provider

For complex use-cases, SSSD supports AD GPOs starting with the 1.12.x series, search the sssd-ad man page for details.

Related Topic