[CentOS] ldap host attribute is ignored

Tue May 5 19:12:54 UTC 2015
Ulrich Hiller <hiller at mpia-hd.mpg.de>

Hi,

added, but no success.
My sssd.conf looks now so:
[sssd]
config_file_version = 2
services = nss,pam
domains = default
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.

[nss]
filter_groups = root
filter_users = root

[pam]

# Section created by YaST
[domain/default]
ldap_uri = ldap://ldap.mpia-hd.mpg.de
ldap_search_base = o=mpia
ldap_schema = rfc2307bis
id_provider = ldap
ldap_user_uuid = entryuuid
ldap_group_uuid = entryuuid
ldap_id_use_start_tls = True
enumerate = False
cache_credentials = False
ldap_tls_cacertdir = /etc/ssl/certs
chpass_provider = ldap
auth_provider = ldap
ldap_tls_reqcert = never
ldap_user_search_base = ou=people,o=mpia
ldap_group_search_base = ou=group,o=mpia

access_provider = ldap
#ldap_access_filter = memberOf=ou=people,o=mpia
ldap_access_order = host
ldap_user_authorized_host = host


and my nsswitch,conf:
passwd:     files ldap
shadow:     files ldap
group:      files ldap
#initgroups: files
#hosts:     db files nisplus nis dns
hosts:      files dns
# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss
netgroup:   files sss ldap
publickey:  nisplus
automount:  files sss ldap
aliases:    files nisplus


I get a "user unknown". With
passwd:     files sss ldap
shadow:     files sss ldap
group:      files sss ldap
in nsswitch.conf all ldap users can login, independently from the host
attribute.

With kind regards, ulrich


On 05/05/2015 08:58 PM, Ashish Yadav wrote:
> Hi,
> 
> I am confused about what to do now.
>> Do i have to configure anything else in /etc/pam.d apart from system-auth?
>>
> 
> IMO, you have to configure sssd.conf properly.
> 
> Please add "ldap_user_authorized_host = host" in your sssd.conf which you
> have not configured.
> After that please check again.
> 
> For more information, please refer below link.
> 
> <https://lists.fedorahosted.org/pipermail/sssd-users/2015-May/003001.html>
> 
> --Regards
> Ashishkumar S. Yadav
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
>