CentOS - Feb 2015 - sssd - ldap host attribute ignored

Dear all,

i have a problem with sssd in conjunction with ldap on a centos 7 x86_64
box.
ldap works fine. I can login there as an usual user registred in ldap.

I want now restrict the access with ldap's host attribute. This is
beeing ignored. Still every ldap user can login, no matter what the host
attribute says.
I googled around and only found that sssd.conf need two lines:
access_provider = ldap
ldap_access_order = host

So i do not understand why it is not working. I append to this e-mail:
/etc/sssd/sssd.conf
/etc/ldap.conf
/etc/pamd.d/ssh

Can somebody give me hints what could be wrong?

With kind reagards and thanks a lot in advance, Ulrich

/etc/sssd/sssd.conf:
--------------------
[sssd]
config_file_version = 2
services = nss, pam, autofs
domains = default
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
# domains = LDAP

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/default]
ldap_uri = ldap://myldapserver.mydomain
ldap_search_base = o=XXXX
ldap_schema = rfc2307bis
id_provider = ldap
ldap_user_uuid = entryuuid
ldap_group_uuid = entryuuid
ldap_id_use_start_tls = True
enumerate = False
cache_credentials = False
ldap_tls_cacertdir = /etc/openldap/cacerts/
chpass_provider = ldap
auth_provider = ldap
ldap_tls_reqcert = never
ldap_user_search_base = ou=YYYY,o=XXXX
ldap_group_search_base = ou=YYYY,o=XXXX

access_provider = ldap
ldap_access_filter = memberOf=ou=YYYY,o=XXXX
ldap_access_order = host




/etc/ldap.conf:
----------------------

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

TLS_CACERTDIR /etc/openldap/cacerts

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on
URI ldap://myldapserver.mydomain
BASE ou=YYYY,o=XXXX





/etc/pam.d/sshd:
------------------------------

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed
in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
session  required       pam_mkhomedir.so skel=/etc/skel/ umask=0077

On 02/23/2015 03:59 AM, Ulrich Hiller wrote:
>
> /etc/sssd/sssd.conf:
> [domain/default]
> access_provider = ldap
> ldap_access_filter = memberOf=ou=YYYY,o=XXXX
> ldap_access_order = host
Because ldap_access_order doesn't include "filter",
ldap_access_filter
will not be used.  You can remove that.

Aside from that, it would be helpful to see the entry for one of the 
users who can log in and should not be able to.

Make sure you flush the cache before testing.
> /etc/ldap.conf:
I don't think that file is relevant.

Thanks a lot for the answer. I commented out ldap_access_filter.
I suppose with flush you mean 'sss-cache -E'. I did it. But it did not
help.

The ldap entry of a user who can log in and should not be able to is
below. Note: The host 'another-node' is a different computer than the
CentOS 7 to which the USER1 can login but should not be able to. Even
without the host attribute he can login.

Thank you, ulrich

# extended LDIF
#
# LDAPv3
# base <ou=XXXX,o=YYYY> with scope subtree
# filter: uid=USER1
# requesting: ALL
#

# USER1, XXXX, YYYY
dn: uid=USER1,ou=XXXX,o=YYYY
accountStatus: active
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: ibm-auxAccount
objectClass: qmailUser
objectClass: sambaSamAccount
uid: USER1
uidNumber: ****
shadowFlag: 0
shadowInactive: -1
gidNumber: ***
shadowMin: -1
shadowMax: 999999
homeDirectory: /home/USER1
sn: USER1
mail: USER1 at my.doma.in
mailHost: lmtp:unix:/var/lib/imap/socket/lmtp
shadowWarning: 7
sambaSID: *****************************************
shadowExpire: -1
mailAlternateAddress: USER1a
cn: surname lastname
gecos: surname lastname
loginShell: /bin/bash
host: another-node


On 02/24/2015 01:06 AM, Gordon Messmer wrote:
> On 02/23/2015 03:59 AM, Ulrich Hiller wrote:
>>
>> /etc/sssd/sssd.conf:
>> [domain/default]
>> access_provider = ldap
>> ldap_access_filter = memberOf=ou=YYYY,o=XXXX
>> ldap_access_order = host
> 
> Because ldap_access_order doesn't include "filter",
ldap_access_filter
> will not be used.  You can remove that.
> 
> Aside from that, it would be helpful to see the entry for one of the
> users who can log in and should not be able to.
> 
> Make sure you flush the cache before testing.
> 
>> /etc/ldap.conf:
> 
> I don't think that file is relevant.
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos