[CentOS] ldap host attribute is ignored

Tue May 12 18:47:01 UTC 2015

that's intersting. "performing access check" is really missing.

also the "sdap_access" lines are not there. Therefore i do have:

(Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options]
(0x0400): Option ldap_access_filter has no value
(Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options]
(0x0400): Option ldap_access_order has value host
(Tue May 12 13:16:20 2015) [sssd[be[default]]] [be_process_init]
(0x2000): ACCESS backend target successfully loaded from provider [ldap].

"Requesting attrs: [objectClass]" and "Requesting attrs: [host]" are in
the logfile.

So there is no access check apart from username and password check -
otherwise i would not have been able to login.

The question is why doesn't it perform these checks.

Just to repete: My sssd.conf contains
access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host

I read something about "pam_check_host_attr" in /etc/ldap.conf But this
does not help in my /etc/openldap/ldap.conf (already tested).

Any idea is still welcome.

With kind regards, ulrich

On 05/12/2015 07:45 PM, Gordon Messmer wrote:
> On 05/12/2015 06:25 AM, Ulrich Hiller wrote:
>>
>> i have set logging in sssd to 9:
> 
> 7 might be good enough for what you want to find.  I added this to
> domain/default section:
> 
> access_provider = ldap
> ldap_access_order = host
> ldap_user_authorized_host = host
> debug_level = 7
> 
> /var/log/sssd/sssd_default.log logged the following for one user which
> had no "host" attribute, and was denied login:
> 
> -----
> (Tue May 12 10:35:35 2015) [sssd[be[default]]]
> [sdap_get_initgr_next_base] (0x0400): Searching for users with base
> [dc=private,dc=example,dc=net]
> (Tue May 12 10:35:35 2015) [sssd[be[default]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(uid=gordon)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=private,dc=example,dc=net].
> 
> (Tue May 12 10:35:35 2015) [sssd[be[default]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
> ...
> (Tue May 12 10:35:35 2015) [sssd[be[default]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
> -----
> 
> So, the user lookup definitely requested the host attribute.
> 
> The authentication process logs to the same file:
> 
> -----
> (Tue May 12 10:35:36 2015) [sssd[be[default]]] [be_pam_handler]
> (0x0100): Got request with the following data
> (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data]
> (0x0100): command: PAM_ACCT_MGMT
> (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data]
> (0x0100): domain: default
> (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data]
> (0x0100): user: gordon
> (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data]
> (0x0100): service: sshd
> (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data]
> (0x0100): tty: ssh
> (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data]
> (0x0100): ruser:
> (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data]
> (0x0100): rhost: 10.1.10.41
> (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data]
> (0x0100): authtok type: 0
> (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data]
> (0x0100): newauthtok type: 0
> (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data]
> (0x0100): priv: 1
> (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data]
> (0x0100): cli_pid: 7871
> (Tue May 12 10:35:36 2015) [sssd[be[default]]] [sdap_access_send]
> (0x0400): Performing access check for user [gordon]
> (Tue May 12 10:35:36 2015) [sssd[be[default]]] [sdap_access_host]
> (0x0020): Missing hosts. Access denied
> -----
> 
> Your log excerpt did not include "performing access check".  I don't
> know if that's because it isn't in your log or because your excerpt was
> too short.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
> 