I have an in interesting dilemna that I am trying to address. I have some ldap queries that I use to retrieve user information to perform access validations on a quarterly/annual basis. I can successfully pull the local users, and I can use ldapsearch to pull back all the users from the DN as well. However, my problem is, I need to narrow down this search so that I can report on LDAP users who have access to the local server and not just return every user in the DN on every server so that I can then truly validate whether people need to retain access to the specific hosts they have access to. I have so far been unable to come up with (or find an example of) a proper command that returns a "host allowed" value, or just returns a list of users with access to the host that I am running the ldap search on. Has anyone run across this before and have a viable option of how to report only LDAP users with access to the server on which the query is running? I have to run this on hundreds of servers, so getting this right is pretty critical to me.
Seems like you can easily run a generic LDAP query and then filter / process the results.
Sometimes the simple solution is the best one.
I'm already running a generic LDAP query. The problem is, the results are the same on every server. For Identity and Access Management, this isn't what I want as not all uses have access to all servers. I was trying to find some switch that I could use in my query, or an alternate way to look up LDAP users who have access to the local server without also giving me everyone else. Simple is always better, but in this case, simple didn't cut it as it overproduced results.
So how is the access controlled: Group membership? The sssd.conf "simple_allow_groups" option? sshdf_config "allow users"?
I would not know this going in. I would need to read the config file during script execution which is why I was hoping someone with a bit more experience might provide examples. If you can suggest a way for each based on the config option, I can likely work on the code from there. The solution will be used for more than one hosted customer so I wanted to be able to reuse the same code and produce output for each regardless of which direction they went.
Without knowing how access is controlled on the hosts, there's no way to say what you need to search for...
so been working with the customer SA and they state they're using sshd.conf to limit access. They're using AllowGroups for their delineation. I'm sure other customers are likely using other options, but I can only work with what I know and something is better than nothing.
So, you could extract the allowed groups from sshd.conf, and query LDAP to get the users in those groups.
On our systems this would be something like:
for group in $(awk '/AllowGroups/ {$1="";print;exit}' /etc/ssh/sshd_config)
do
ldapsearch -xZ -bou=groups,dc=domain,dc=com cn=${group} memberUID
done
but YMMV...