Dear all,
i have a problem with sssd in conjunction with ldap on a centos 7 x86_64 box. ldap works fine. I can login there as an usual user registred in ldap.
I want now restrict the access with ldap's host attribute. This is beeing ignored. Still every ldap user can login, no matter what the host attribute says. I googled around and only found that sssd.conf need two lines: access_provider = ldap ldap_access_order = host
So i do not understand why it is not working. I append to this e-mail: /etc/sssd/sssd.conf /etc/ldap.conf /etc/pamd.d/ssh
Can somebody give me hints what could be wrong?
With kind reagards and thanks a lot in advance, Ulrich
/etc/sssd/sssd.conf: -------------------- [sssd] config_file_version = 2 services = nss, pam, autofs domains = default # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. # domains = LDAP
[nss] filter_groups = root filter_users = root
[pam]
[domain/default] ldap_uri = ldap://myldapserver.mydomain ldap_search_base = o=XXXX ldap_schema = rfc2307bis id_provider = ldap ldap_user_uuid = entryuuid ldap_group_uuid = entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/openldap/cacerts/ chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYYY,o=XXXX ldap_group_search_base = ou=YYYY,o=XXXX
access_provider = ldap ldap_access_filter = memberOf=ou=YYYY,o=XXXX ldap_access_order = host
/etc/ldap.conf: ----------------------
# # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
#BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
# Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on URI ldap://myldapserver.mydomain BASE ou=YYYY,o=XXXX
/etc/pam.d/sshd: ------------------------------
#%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth session include postlogin session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
On 02/23/2015 03:59 AM, Ulrich Hiller wrote:
/etc/sssd/sssd.conf: [domain/default] access_provider = ldap ldap_access_filter = memberOf=ou=YYYY,o=XXXX ldap_access_order = host
Because ldap_access_order doesn't include "filter", ldap_access_filter will not be used. You can remove that.
Aside from that, it would be helpful to see the entry for one of the users who can log in and should not be able to.
Make sure you flush the cache before testing.
/etc/ldap.conf:
I don't think that file is relevant.
Thanks a lot for the answer. I commented out ldap_access_filter. I suppose with flush you mean 'sss-cache -E'. I did it. But it did not help.
The ldap entry of a user who can log in and should not be able to is below. Note: The host 'another-node' is a different computer than the CentOS 7 to which the USER1 can login but should not be able to. Even without the host attribute he can login.
Thank you, ulrich
# extended LDIF # # LDAPv3 # base <ou=XXXX,o=YYYY> with scope subtree # filter: uid=USER1 # requesting: ALL #
# USER1, XXXX, YYYY dn: uid=USER1,ou=XXXX,o=YYYY accountStatus: active objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount objectClass: ibm-auxAccount objectClass: qmailUser objectClass: sambaSamAccount uid: USER1 uidNumber: **** shadowFlag: 0 shadowInactive: -1 gidNumber: *** shadowMin: -1 shadowMax: 999999 homeDirectory: /home/USER1 sn: USER1 mail: USER1@my.doma.in mailHost: lmtp:unix:/var/lib/imap/socket/lmtp shadowWarning: 7 sambaSID: ***************************************** shadowExpire: -1 mailAlternateAddress: USER1a cn: surname lastname gecos: surname lastname loginShell: /bin/bash host: another-node
On 02/24/2015 01:06 AM, Gordon Messmer wrote:
On 02/23/2015 03:59 AM, Ulrich Hiller wrote:
/etc/sssd/sssd.conf: [domain/default] access_provider = ldap ldap_access_filter = memberOf=ou=YYYY,o=XXXX ldap_access_order = host
Because ldap_access_order doesn't include "filter", ldap_access_filter will not be used. You can remove that.
Aside from that, it would be helpful to see the entry for one of the users who can log in and should not be able to.
Make sure you flush the cache before testing.
/etc/ldap.conf:
I don't think that file is relevant.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Gordon Messmer -
Ulrich Hiller