[CentOS] ldap host attribute is ignored

Wed May 6 17:02:59 UTC 2015
Gordon Messmer <gordon.messmer at gmail.com>

On 05/06/2015 07:24 AM, Ulrich Hiller wrote:
> Now i have removed the 'ldap' from the /etc/nsswitch.conf. Now it looks
> like this:

Looks good.

> My /etc/openldap/ldap.conf is this:

OK, but that file isn't used for name service or authentication.  Mostly 
just the openldap tools (ldapsearch, ldapadd, ldapmodify).

> The sssd.conf is this:
> [nss]
> filter_groups = root
> filter_users = root

nitpick: those are the defaults.  Probably don't need to set them.

> [domain/default]
> ldap_id_use_start_tls = True
> ldap_tls_cacertdir = /etc/ssl/certs
> ldap_tls_reqcert = never

Not sure about that setting.  "allow" is probably what you want if 
you're using starttls.

> access_provider = ldap
> ldap_access_order = host
> ldap_user_authorized_host = host
> When i stop the sssd deamon, no login at all is possible.

OK.  Remember that previously you had both sssd and ldap configured to 
provide user information.

You'll want to watch the logs for more information.

Start by determining whether the problem is in the name service or 
authentication step.  Use "id <user>" or "getent passwd <user>" to 
determine whether user information is available through sssd.  If it is 
not, then you probably want to start paring out settings that you added 
(assuming that you started with a file written by authconfig) until 
that's working.

If user data is available, then start looking at your pam configuration. 
  It looks like you made some changes there, and not all of them make 
sense.  In the auth stack, you're calling pam_unix.so twice.  Remove the 
last one.  You've also marked pam_sss.so as required instead of 
sufficient, which is definitely wrong.  On success of a "sufficient" 
module, processing stops.  On success of a "required" module, processing 
will continue, and will reach pam_deny.so.  See the man page for 
pam.conf for more information.