[CentOS] ldap host attribute is ignored

Gordon Messmer gordon.messmer at gmail.com
Tue May 12 17:45:59 UTC 2015


On 05/12/2015 06:25 AM, Ulrich Hiller wrote:
>
> i have set logging in sssd to 9:

7 might be good enough for what you want to find.  I added this to 
domain/default section:

access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host
debug_level = 7

/var/log/sssd/sssd_default.log logged the following for one user which 
had no "host" attribute, and was denied login:

-----
(Tue May 12 10:35:35 2015) [sssd[be[default]]] 
[sdap_get_initgr_next_base] (0x0400): Searching for users with base 
[dc=private,dc=example,dc=net]
(Tue May 12 10:35:35 2015) [sssd[be[default]]] 
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with 
[(&(uid=gordon)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=private,dc=example,dc=net].
(Tue May 12 10:35:35 2015) [sssd[be[default]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
...
(Tue May 12 10:35:35 2015) [sssd[be[default]]] 
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
-----

So, the user lookup definitely requested the host attribute.

The authentication process logs to the same file:

-----
(Tue May 12 10:35:36 2015) [sssd[be[default]]] [be_pam_handler] 
(0x0100): Got request with the following data
(Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] 
(0x0100): command: PAM_ACCT_MGMT
(Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] 
(0x0100): domain: default
(Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] 
(0x0100): user: gordon
(Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] 
(0x0100): service: sshd
(Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] 
(0x0100): tty: ssh
(Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] 
(0x0100): ruser:
(Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] 
(0x0100): rhost: 10.1.10.41
(Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] 
(0x0100): authtok type: 0
(Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] 
(0x0100): newauthtok type: 0
(Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] 
(0x0100): priv: 1
(Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] 
(0x0100): cli_pid: 7871
(Tue May 12 10:35:36 2015) [sssd[be[default]]] [sdap_access_send] 
(0x0400): Performing access check for user [gordon]
(Tue May 12 10:35:36 2015) [sssd[be[default]]] [sdap_access_host] 
(0x0020): Missing hosts. Access denied
-----

Your log excerpt did not include "performing access check".  I don't 
know if that's because it isn't in your log or because your excerpt was 
too short.



More information about the CentOS mailing list