Reputation: 11
I have a requirement to validate if a given user can login to a machine. I don't know their password, but the script can elevate to root using sudo
. All the users are AD accounts using SSSD.
Everything I've found just validates if the user is valid or not, such as using
id -u
. Doing sudo -lu
doesn't work if the user has never logged in before and only shows their sudo
permissions. I've also tried using ldapsearch
, but that only queries the AD server to see if they have the correct profiles, but not necessarily on that server.
Upvotes: 1
Views: 611
Reputation: 11
Create in the Domain a group with the users you want to allow in the machine and use it in the key simple_allow_groups explained below.
In the /etc/sssd/sssd.conf Add/Modify the following keys:
access_provider = simple # This will allow you to control who can log in the computer using the simple_allow_groups.
simple_allow_groups = groupname1, groupname2 # Domain groupnames allow you to limit the log on permission for just the members of the groups in this option.
Edit the sudoers (using visudo) and add:
%groupname1 ALL=(ALL) NOPASSWD: ALL
This will allow the user to run any command. If you want to limit the commands allowed, see the examples in the sudoers file.
Upvotes: 0