[CentOS] sssd - ldap host attribute ignored

Mon Feb 23 11:59:58 UTC 2015
Ulrich Hiller <hiller at mpia-hd.mpg.de>

Dear all,

i have a problem with sssd in conjunction with ldap on a centos 7 x86_64
box.
ldap works fine. I can login there as an usual user registred in ldap.

I want now restrict the access with ldap's host attribute. This is
beeing ignored. Still every ldap user can login, no matter what the host
attribute says.
I googled around and only found that sssd.conf need two lines:
access_provider = ldap
ldap_access_order = host

So i do not understand why it is not working. I append to this e-mail:
/etc/sssd/sssd.conf
/etc/ldap.conf
/etc/pamd.d/ssh

Can somebody give me hints what could be wrong?

With kind reagards and thanks a lot in advance, Ulrich

/etc/sssd/sssd.conf:
--------------------
[sssd]
config_file_version = 2
services = nss, pam, autofs
domains = default
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
# domains = LDAP

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/default]
ldap_uri = ldap://myldapserver.mydomain
ldap_search_base = o=XXXX
ldap_schema = rfc2307bis
id_provider = ldap
ldap_user_uuid = entryuuid
ldap_group_uuid = entryuuid
ldap_id_use_start_tls = True
enumerate = False
cache_credentials = False
ldap_tls_cacertdir = /etc/openldap/cacerts/
chpass_provider = ldap
auth_provider = ldap
ldap_tls_reqcert = never
ldap_user_search_base = ou=YYYY,o=XXXX
ldap_group_search_base = ou=YYYY,o=XXXX

access_provider = ldap
ldap_access_filter = memberOf=ou=YYYY,o=XXXX
ldap_access_order = host




/etc/ldap.conf:
----------------------

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

TLS_CACERTDIR /etc/openldap/cacerts

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on
URI ldap://myldapserver.mydomain
BASE ou=YYYY,o=XXXX





/etc/pam.d/sshd:
------------------------------

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed
in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
session  required       pam_mkhomedir.so skel=/etc/skel/ umask=0077