Thanks a lot for the explanation. I have confused some things while crawling through the manuals. Now i have removed the 'ldap' from the /etc/nsswitch.conf. Now it looks like this: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplu My /etc/openldap/ldap.conf is this: TLS_CACERTDIR /etc/openldap/cacerts/ SASL_NOCANON on URI ldap://ldap.mydomain.tld BASE o=XXX The sssd.conf is this: [sssd] config_file_version = 2 services = nss, pam, autofs domains = default [nss] filter_groups = root filter_users = root [pam] [domain/default] ldap_uri = ldap://ldap.mydomain.tld ldap_search_base = o=XXX ldap_schema = rfc2307bis id_provider = ldap ldap_user_uuid = entryuuid ldap_group_uuid = entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/ssl/certs chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYY,o=XXX ldap_group_search_base = ou=YYY,o=XXX access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host autofs_provider = ldap krb5_realm = # [autofs] When i stop the sssd deamon, no login at all is possible. But when i start sssd, again login is successful, independendly from what i write into ldap_access_order and ldap_user_authorized_host (if i don't commit syntax errors). I also tried with ldap_access_filter and inserting "pam_check_host_attr yes" into ldap.conf. Still the same: When username and password are correct, the host atribute is ignored. Is there another config file i have to edit? With kind regards, ulrich On 05/05/2015 11:43 PM, Gordon Messmer wrote: > On 05/05/2015 11:14 AM, Ulrich Hiller wrote: >> On 05/05/2015 06:47 PM, Gordon Messmer wrote: >>> This is wrong. Don't use sss and ldap together. It's redundant. At >>> best it will cause performance problems. >>> >>> Get rid of the ldap module and see if the system starts working >>> correctly with just sssd. It's possible that right now sssd is >>> correctly filtering users, but the PADL ldap module is providing them. >> >> This was a good hint (i should have got the idea myself). >> Now i set >> passwd: files ldap >> shadow: files ldap >> group: files ldap > > That's exactly the opposite of what I suggested. Your system is now > using the deprecated PADL ldap module for name service instead of sssd. > > You should probably remove nscd and nss-pam-ldapd from your system > entirely. They're deprecated, and they're going to waste your time. > >> and got "pam_unix(sshd:auth): check pass; user unknown" > > That seems consistent with having "ldap" in nsswitch.conf and no > /etc/ldap.conf. > > Don't use "ldap". Use "sss". > >> So, does it mean only the NSS is providing the ldap user information, >> and sssd cannot read the pam information? So pam is not set up correctly? > > That's a confusing question, so let me explain the stack a little. > > At one end you have your applications. Everything that needs to resolve > user names, groups, hosts, services, etc is here. For example, "ls". > "ls" reads directories and stats files, those files have numeric user > and group IDs, which need to be resolved to names. > > In the middle you have glibc and its "nss" API. "nss" provides a single > interface to applications for resolving names and numbers for the types > defined in nsswitch.conf. > > At the other end of the stack you have nss modules. These include the > "unix" module which reads files in /etc, the deprecated LDAP module from > PADL, and the sss module that's part of sssd. > > (sssd extends the stack a little bit. it provides one interface to nss, > and has its own modules to resolve names through LDAP and other > directories) > > PAM is completely separate from all of that. PAM provides > authentication services. It's a completely different interface from > resolving names and numbers. > > So, right now it sounds like you have the system configured to read > information from the "ldap" module, but that module needs > /etc/ldap.conf. You should be using the "sss" module in nsswitch.conf > instead. > >> I am confused about what to do now. >> Do i have to configure anything else in /etc/pam.d apart from >> system-auth? > > You probably shouldn't ever touch the files in /etc/pam.d. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >