[CentOS] ldap host attribute is ignored

Fri May 8 19:57:45 UTC 2015
Gordon Messmer <gordon.messmer at gmail.com>

On 05/08/2015 08:14 AM, Ulrich Hiller wrote:
> With kind regards, ulrich

Hm.  I don't *see* the problem, so let me go about this in the opposite 
direction.  I added the host controls to one of my systems, and they 
appear to work properly.

My configuration files were *mostly* written by "authconfig".  It looks 
like you've done some manual tweaking with YaST examples.  Some of the 
PAM stuff looks like it was tacked-on at the end of a sequence without 
understanding how PAM flow control works.

(Minor aside: you may have used authconfig --enablemd5, which weakens 
security somewhat.  I believe the default is equivalent to authconfig 
--passalgo=sha256)

Your sssh pam file referenced password-auth (/etc/pam.d/password-auth) 
which should be a separate file from system-auth, but should have 
identical content.

I recommend starting with a completely clean system, setting up 
authentication with authconfig, and then modifying sssd.conf one setting 
at a time as you work toward your desired configuration.



/etc/sss/sssd.conf:

------

[domain/default]

autofs_provider = ldap
cache_credentials = True
krb5_realm = PRIVATE.EXAMPLE.NET
ldap_search_base = dc=private,dc=example,dc=net
krb5_server = directory.private.example.net:88
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://directory.private.example.net/
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_store_password_if_offline = True
krb5_kpasswd = directory.private.example.net:749

access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host

[sssd]
services = nss, pam, autofs
config_file_version = 2

domains = default
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]

------

/etc/pam.d/system-auth-ac

------

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass 
local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha256 shadow nullok 
try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

------