Thanks a lot for the answer. I commented out ldap_access_filter. I suppose with flush you mean 'sss-cache -E'. I did it. But it did not help.
The ldap entry of a user who can log in and should not be able to is below. Note: The host 'another-node' is a different computer than the CentOS 7 to which the USER1 can login but should not be able to. Even without the host attribute he can login.
Thank you, ulrich
# extended LDIF # # LDAPv3 # base <ou=XXXX,o=YYYY> with scope subtree # filter: uid=USER1 # requesting: ALL #
# USER1, XXXX, YYYY dn: uid=USER1,ou=XXXX,o=YYYY accountStatus: active objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount objectClass: ibm-auxAccount objectClass: qmailUser objectClass: sambaSamAccount uid: USER1 uidNumber: **** shadowFlag: 0 shadowInactive: -1 gidNumber: *** shadowMin: -1 shadowMax: 999999 homeDirectory: /home/USER1 sn: USER1 mail: USER1@my.doma.in mailHost: lmtp:unix:/var/lib/imap/socket/lmtp shadowWarning: 7 sambaSID: ***************************************** shadowExpire: -1 mailAlternateAddress: USER1a cn: surname lastname gecos: surname lastname loginShell: /bin/bash host: another-node
On 02/24/2015 01:06 AM, Gordon Messmer wrote:
On 02/23/2015 03:59 AM, Ulrich Hiller wrote:
/etc/sssd/sssd.conf: [domain/default] access_provider = ldap ldap_access_filter = memberOf=ou=YYYY,o=XXXX ldap_access_order = host
Because ldap_access_order doesn't include "filter", ldap_access_filter will not be used. You can remove that.
Aside from that, it would be helpful to see the entry for one of the users who can log in and should not be able to.
Make sure you flush the cache before testing.
/etc/ldap.conf:
I don't think that file is relevant.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos