[CentOS] ldap host attribute is ignored
Gordon Messmer
gordon.messmer at gmail.com
Tue May 5 16:47:58 UTC 2015
On 05/05/2015 03:02 AM, Ulrich Hiller wrote:
> /etc/openldap/ldap.conf contains the line:
> ------------------------------------------
> pam_check_host_attr yes
/etc/openldap/ldap.conf is the configuration file for openldap clients.
It is not used for system authentication or name service.
> 'pam_check_host_attr yes' is in /etc/openldap/ldap.conf. /etc/ldap.conf
> is a softlink to that file.
Those two files have completely different syntax and are used by
different software. Don't symlink them.
> /etc/sssd/sssd.conf:
> --------------------
If you're using sssd, then you're not using (or shouldn't be using) the
PADL nss module. In that case, /etc/ldap.conf shouldn't even be present.
> [domain/default]
> access_provider = ldap
> ldap_access_filter = memberOf=ou=YYYY,o=XXXX
> ldap_access_order = host
ldap_access_filter should be an LDAP filter, not an OU. However, it's
only used when ldap_access_order=filter. When using
ldap_access_order=host, it should not be present.
> in /etc/nscd.conf:
nscd is also not used when using sssd.
> /etc/nsswitch.conf:
> ...................
> passwd: files sss ldap
> shadow: files sss ldap
> group: files sss ldap
This is wrong. Don't use sss and ldap together. It's redundant. At
best it will cause performance problems.
Get rid of the ldap module and see if the system starts working
correctly with just sssd. It's possible that right now sssd is
correctly filtering users, but the PADL ldap module is providing them.
More information about the CentOS
mailing list