[CentOS] ldap host attribute is ignored

Wed May 13 08:34:51 UTC 2015
Ulrich Hiller <hiller at mpia-hd.mpg.de>

On 05/12/2015 11:04 PM, m.roth at 5-cent.us wrote:
> Ulrich Hiller wrote:
>> i thought this too.
>> I think this:
>> access_provider = ldap
>> ldap_access_filter = memberOf=host=does-not-exist-host
>> ldap_access_order = filter
>> ldap_user_authorized_host = host
>> must confuse sssd so much that it denies login. But the user without
>> host attribute can still login.
> Wait - are you saying that it didn't deny, but now it does? If that's the
> case, then you're almost there, just that the condition is backwards (like
> sshd_config, with PermitRootLogin Without-Password means that you have to
> use a key, not that it permits root to come in without a password....
>      mark

No. Sorry for the misunderstanding (i am not a native English speaker).
I wanted to say that it still does *not* deny.