Dear all,
i have a problem with sssd in conjunction with ldap on a centos 7 x86_64 box. ldap works fine. I can login there as an usual user registred in ldap.
I want now restrict the access with ldap's host attribute. This is beeing ignored. Still every ldap user can login, no matter what the host attribute says. I googled around and only found that sssd.conf need two lines: access_provider = ldap ldap_access_order = host
So i do not understand why it is not working. I append to this e-mail: /etc/sssd/sssd.conf /etc/ldap.conf /etc/pamd.d/ssh
Can somebody give me hints what could be wrong?
With kind reagards and thanks a lot in advance, Ulrich
/etc/sssd/sssd.conf: -------------------- [sssd] config_file_version = 2 services = nss, pam, autofs domains = default # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. # domains = LDAP
[nss] filter_groups = root filter_users = root
[pam]
[domain/default] ldap_uri = ldap://myldapserver.mydomain ldap_search_base = o=XXXX ldap_schema = rfc2307bis id_provider = ldap ldap_user_uuid = entryuuid ldap_group_uuid = entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/openldap/cacerts/ chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYYY,o=XXXX ldap_group_search_base = ou=YYYY,o=XXXX
access_provider = ldap ldap_access_filter = memberOf=ou=YYYY,o=XXXX ldap_access_order = host
/etc/ldap.conf: ----------------------
# # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
#BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
# Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on URI ldap://myldapserver.mydomain BASE ou=YYYY,o=XXXX
/etc/pam.d/sshd: ------------------------------
#%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth session include postlogin session required pam_mkhomedir.so skel=/etc/skel/ umask=0077