[CentOS] ldap host attribute is ignored

Wed May 6 14:24:22 UTC 2015
Ulrich Hiller <hiller at mpia-hd.mpg.de>

Thanks a lot for the explanation. I have confused some things while
crawling through the manuals.

Now i have removed the 'ldap' from the /etc/nsswitch.conf. Now it looks
like this:

passwd:     files sss
shadow:     files sss
group:      files sss
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss
netgroup:   files sss
publickey:  nisplus
automount:  files sss
aliases:    files nisplu


My /etc/openldap/ldap.conf is this:
TLS_CACERTDIR /etc/openldap/cacerts/
SASL_NOCANON    on
URI ldap://ldap.mydomain.tld
BASE o=XXX

The sssd.conf is this:
[sssd]
config_file_version = 2
services = nss, pam, autofs
domains = default

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/default]
ldap_uri = ldap://ldap.mydomain.tld
ldap_search_base = o=XXX
ldap_schema = rfc2307bis
id_provider = ldap
ldap_user_uuid = entryuuid
ldap_group_uuid = entryuuid
ldap_id_use_start_tls = True
enumerate = False
cache_credentials = False
ldap_tls_cacertdir = /etc/ssl/certs
chpass_provider = ldap
auth_provider = ldap
ldap_tls_reqcert = never
ldap_user_search_base = ou=YYY,o=XXX
ldap_group_search_base = ou=YYY,o=XXX

access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host

autofs_provider = ldap
krb5_realm = #
[autofs]


When i stop the sssd deamon, no login at all is possible. But when i
start sssd, again login is successful, independendly from what i write
into ldap_access_order and ldap_user_authorized_host (if i don't commit
syntax errors). I also tried with ldap_access_filter and inserting
"pam_check_host_attr     yes" into ldap.conf.
Still the same: When username and password are correct, the host
atribute is ignored.

Is there another config file i have to edit?

With kind regards, ulrich


On 05/05/2015 11:43 PM, Gordon Messmer wrote:
> On 05/05/2015 11:14 AM, Ulrich Hiller wrote:
>> On 05/05/2015 06:47 PM, Gordon Messmer wrote:
>>> This is wrong.  Don't use sss and ldap together.  It's redundant. At
>>> best it will cause performance problems.
>>>
>>> Get rid of the ldap module and see if the system starts working
>>> correctly with just sssd.  It's possible that right now sssd is
>>> correctly filtering users, but the PADL ldap module is providing them.
>>
>> This was a good hint (i should have got the idea myself).
>> Now i set
>> passwd:     files ldap
>> shadow:     files ldap
>> group:      files ldap
> 
> That's exactly the opposite of what I suggested.  Your system is now
> using the deprecated PADL ldap module for name service instead of sssd.
> 
> You should probably remove nscd and nss-pam-ldapd from your system
> entirely.  They're deprecated, and they're going to waste your time.
> 
>> and got "pam_unix(sshd:auth): check pass; user unknown"
> 
> That seems consistent with having "ldap" in nsswitch.conf and no
> /etc/ldap.conf.
> 
> Don't use "ldap".  Use "sss".
> 
>> So, does it mean only the NSS is providing the ldap user information,
>> and sssd cannot read the pam information? So pam is not set up correctly?
> 
> That's a confusing question, so let me explain the stack a little.
> 
> At one end you have your applications.  Everything that needs to resolve
> user names, groups, hosts, services, etc is here.  For example, "ls".
> "ls" reads directories and stats files, those files have numeric user
> and group IDs, which need to be resolved to names.
> 
> In the middle you have glibc and its "nss" API.  "nss" provides a single
> interface to applications for resolving names and numbers for the types
> defined in nsswitch.conf.
> 
> At the other end of the stack you have nss modules.  These include the
> "unix" module which reads files in /etc, the deprecated LDAP module from
> PADL, and the sss module that's part of sssd.
> 
> (sssd extends the stack a little bit.  it provides one interface to nss,
> and has its own modules to resolve names through LDAP and other
> directories)
> 
> PAM is completely separate from all of that.  PAM provides
> authentication services.  It's a completely different interface from
> resolving names and numbers.
> 
> So, right now it sounds like you have the system configured to read
> information from the "ldap" module, but that module needs
> /etc/ldap.conf.  You should be using the "sss" module in nsswitch.conf
> instead.
> 
>> I am confused about what to do now.
>> Do i have to configure anything else in /etc/pam.d apart from
>> system-auth?
> 
> You probably shouldn't ever touch the files in /etc/pam.d.
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
>