[CentOS] sssd - ldap host attribute ignored

Tue Feb 24 09:09:57 UTC 2015
Ulrich Hiller <hiller at mpia-hd.mpg.de>

Thanks a lot for the answer. I commented out ldap_access_filter.
I suppose with flush you mean 'sss-cache -E'. I did it. But it did not help.

The ldap entry of a user who can log in and should not be able to is
below. Note: The host 'another-node' is a different computer than the
CentOS 7 to which the USER1 can login but should not be able to. Even
without the host attribute he can login.

Thank you, ulrich

# extended LDIF
#
# LDAPv3
# base <ou=XXXX,o=YYYY> with scope subtree
# filter: uid=USER1
# requesting: ALL
#

# USER1, XXXX, YYYY
dn: uid=USER1,ou=XXXX,o=YYYY
accountStatus: active
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: ibm-auxAccount
objectClass: qmailUser
objectClass: sambaSamAccount
uid: USER1
uidNumber: ****
shadowFlag: 0
shadowInactive: -1
gidNumber: ***
shadowMin: -1
shadowMax: 999999
homeDirectory: /home/USER1
sn: USER1
mail: USER1 at my.doma.in
mailHost: lmtp:unix:/var/lib/imap/socket/lmtp
shadowWarning: 7
sambaSID: *****************************************
shadowExpire: -1
mailAlternateAddress: USER1a
cn: surname lastname
gecos: surname lastname
loginShell: /bin/bash
host: another-node


On 02/24/2015 01:06 AM, Gordon Messmer wrote:
> On 02/23/2015 03:59 AM, Ulrich Hiller wrote:
>>
>> /etc/sssd/sssd.conf:
>> [domain/default]
>> access_provider = ldap
>> ldap_access_filter = memberOf=ou=YYYY,o=XXXX
>> ldap_access_order = host
> 
> Because ldap_access_order doesn't include "filter", ldap_access_filter
> will not be used.  You can remove that.
> 
> Aside from that, it would be helpful to see the entry for one of the
> users who can log in and should not be able to.
> 
> Make sure you flush the cache before testing.
> 
>> /etc/ldap.conf:
> 
> I don't think that file is relevant.
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos