[CentOS] ldap host attribute is ignored

Tue May 5 16:47:58 UTC 2015
Gordon Messmer <gordon.messmer at gmail.com>

On 05/05/2015 03:02 AM, Ulrich Hiller wrote:
> /etc/openldap/ldap.conf contains the line:
> ------------------------------------------
>   pam_check_host_attr     yes

/etc/openldap/ldap.conf is the configuration file for openldap clients.  
It is not used for system authentication or name service.

> 'pam_check_host_attr yes' is in /etc/openldap/ldap.conf. /etc/ldap.conf
> is a softlink to that file.

Those two files have completely different syntax and are used by 
different software.  Don't symlink them.

> /etc/sssd/sssd.conf:
> --------------------

If you're using sssd, then you're not using (or shouldn't be using) the 
PADL nss module.  In that case, /etc/ldap.conf shouldn't even be present.

> [domain/default]
> access_provider = ldap
> ldap_access_filter = memberOf=ou=YYYY,o=XXXX
> ldap_access_order = host

ldap_access_filter should be an LDAP filter, not an OU.  However, it's 
only used when ldap_access_order=filter.  When using 
ldap_access_order=host, it should not be present.

> in /etc/nscd.conf:

nscd is also not used when using sssd.

> /etc/nsswitch.conf:
> ...................
> passwd:     files sss ldap
> shadow:     files sss ldap
> group:      files sss ldap

This is wrong.  Don't use sss and ldap together.  It's redundant. At 
best it will cause performance problems.

Get rid of the ldap module and see if the system starts working 
correctly with just sssd.  It's possible that right now sssd is 
correctly filtering users, but the PADL ldap module is providing them.