From 6024b6e77c3e8e1c1a591e2022316a3a025f9f6a Mon Sep 17 00:00:00 2001 From: Ngairangbam Mili Date: Thu, 13 Jun 2024 07:37:34 +0000 Subject: [PATCH] Update SSH User Authentication using WAD to include usage of "ldap_access_filter" parameter Change-Id: I7b15e9de310c317a2017b6903515cb1fbdad8d60 Signed-off-by: Ngairangbam Mili --- .../kubernetes/sssd-support-5fb6c4b0320b.rst | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst b/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst index 4bca576f2..562d56e3d 100644 --- a/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst +++ b/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst @@ -97,13 +97,13 @@ Commands to add mandatory parameters for a remote ldap domain: # is “identity” for all domains. # identifies a domain as either “ldap-domain1”, “ldap-domain2” or “ldap-domain3”. - E.g.: + Example: system service-parameter-add identity ldap-domain1 domain_name=ad.wad-server.com system service-parameter-add identity ldap-domain1 ldap_uri=ldaps://ad.wad-server.com - system service-parameter-add identity ldap-domain1 ldap_access_filter=memberOf=CN=WRCP_Admin,CN=Users,DC=wad-server,DC=com + system service-parameter-add identity ldap-domain1 ldap_access_filter=memberOf=CN=allowedusers,CN=Users,DC=wad-server,DC=com system service-parameter-add identity ldap-domain1 ldap_search_base=CN=Users,DC=wad-server,DC=com @@ -111,6 +111,22 @@ Commands to add mandatory parameters for a remote ldap domain: system service-parameter-add identity ldap-domain1 ldap_default_authtok =Passw0rd* +.. note:: + + The ``ldap_access_filter`` service parameter can be configured to allow + access to the Linux host. In the following example, the access is + restricted to members of the group ``allowedusers``. Users that are not + part of ``allowedusers`` will get the message ``Authentication failed``. + Here, ``allowedusers`` is an example of a |WAD| group. + + .. code-block:: none + + system service-parameter-add identity ldap-domain1 ldap_access_filter=memberOf=CN=allowedusers,CN=Users,DC=wad-1,DC=cumulus,DC=wrs,DC=com + + The ``allowedusers`` group is a |WAD| group where the ``gidNumber`` + |LDAP| attribute must be set to a unique group number among Linux groups so + that it is mapped on the Linux platform as a Linux |LDAP| group with a + unique ``gid`` value. Optional Parameters -------------------