adam crane
adam crane

Reputation: 11

Validate AD user can login using SSSD on SuSE

I have a requirement to validate if a given user can login to a machine. I don't know their password, but the script can elevate to root using sudo. All the users are AD accounts using SSSD.

Everything I've found just validates if the user is valid or not, such as using id -u. Doing sudo -lu doesn't work if the user has never logged in before and only shows their sudo permissions. I've also tried using ldapsearch, but that only queries the AD server to see if they have the correct profiles, but not necessarily on that server.

Upvotes: 1

Views: 611

Answers (1)

Vicente Sloboda
Vicente Sloboda

Reputation: 11

Create in the Domain a group with the users you want to allow in the machine and use it in the key simple_allow_groups explained below.

In the /etc/sssd/sssd.conf Add/Modify the following keys:

access_provider = simple # This will allow you to control who can log in the computer using the simple_allow_groups.
simple_allow_groups = groupname1, groupname2 # Domain groupnames allow you to limit the log on permission for just the members of the groups in this option.

Edit the sudoers (using visudo) and add:

%groupname1 ALL=(ALL)      NOPASSWD: ALL

This will allow the user to run any command. If you want to limit the commands allowed, see the examples in the sudoers file.

Upvotes: 0

Related Questions