Dear list members, i have installed a CentOS 7 x86_64 system. I want to let users authenticate over our ldap server. This seems to be working. ldap-username and ldap-passwords are accepted for the users configured in the ldap server. No problem. Now i want to restrict the access to users who have my centos-machine in their ldap host attribute. My problem is, that this host attribute seems to be ignored. Any ldap user, independent from the host attribute, still can login in. What could be the reason? (googling around did not lead me to a solution). The cache is already flushed. Here is my configuration: /etc/openldap/ldap.conf contains the line: ------------------------------------------ pam_check_host_attr yes /etc/sssd/sssd.conf: -------------------- [sssd] config_file_version = 2 services = nss, pam, autofs domains = default # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. # domains = LDAP [nss] filter_groups = root filter_users = root [pam] [domain/default] ldap_uri = ldap://myldapserver.mydomain ldap_search_base = o=XXXX ldap_schema = rfc2307bis id_provider = ldap ldap_user_uuid = entryuuid ldap_group_uuid = entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/openldap/cacerts/ chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYYY,o=XXXX ldap_group_search_base = ou=YYYY,o=XXXX access_provider = ldap ldap_access_filter = memberOf=ou=YYYY,o=XXXX ldap_access_order = host /etc/pam.d/system-auth: ----------------------- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 200 quiet_success #auth sufficient pam_sss.so use_first_pass auth required pam_sss.so use_first_pass auth required pam_deny.so auth sufficient pam_unix.so try_first_pass account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 2000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_typepassword sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so in /etc/nscd.conf: ------------------ enable-cache passwd no enable-cache group no enable-cache hosts no enable-cache services no enable-cache netgroup no /etc/nsswitch.conf: ................... passwd: files sss ldap shadow: files sss ldap group: files sss ldap #initgroups: files #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss ldap publickey: nisplus automount: files sss ldap aliases: files nisplus The ldap attributes of the user who can login, but should not: -------------------------------------------------------------- dn: uid=USER1,ou=XXXX,o=YYYY accountStatus: active objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount objectClass: ibm-auxAccount objectClass: qmailUser objectClass: sambaSamAccount uid: USER1 uidNumber: **** shadowFlag: 0 shadowInactive: -1 gidNumber: *** shadowMin: -1 shadowMax: 999999 homeDirectory: /home/USER1 sn: USER1 mail: USER1 at my.doma.in mailHost: lmtp:unix:/var/lib/imap/socket/lmtp shadowWarning: 7 sambaSID: ***************************************** shadowExpire: -1 mailAlternateAddress: USER1a cn: surname lastname gecos: surname lastname loginShell: /bin/bash host: another-node What information is still missing? Any hint is welcome. Thank you in advance, ulrich
Hi, On Tue, May 5, 2015 at 3:32 PM, Ulrich Hiller <hiller at mpia-hd.mpg.de> wrote:> Dear list members, > > i have installed a CentOS 7 x86_64 system. I want to let users > authenticate over our ldap server. This seems to be working. > ldap-username and ldap-passwords are accepted for the users configured > in the ldap server. No problem. > > Now i want to restrict the access to users who have my centos-machine in > their ldap host attribute. > > My problem is, that this host attribute seems to be ignored. Any ldap > user, independent from the host attribute, still can login in. > > What could be the reason? (googling around did not lead me to a solution). > >Try to set 'pam_check_host_attr yes' in /etc/ldap.conf . --Regards Ashishkumar S. Yadav
Hi, 'pam_check_host_attr yes' is in /etc/openldap/ldap.conf. /etc/ldap.conf is a softlink to that file. But still the host attribute is ignored. With kind regards, ulrich On 05/05/2015 12:32 PM, Ashish Yadav wrote:> Hi, > > On Tue, May 5, 2015 at 3:32 PM, Ulrich Hiller <hiller at mpia-hd.mpg.de> wrote: > >> Dear list members, >> >> i have installed a CentOS 7 x86_64 system. I want to let users >> authenticate over our ldap server. This seems to be working. >> ldap-username and ldap-passwords are accepted for the users configured >> in the ldap server. No problem. >> >> Now i want to restrict the access to users who have my centos-machine in >> their ldap host attribute. >> >> My problem is, that this host attribute seems to be ignored. Any ldap >> user, independent from the host attribute, still can login in. >> >> What could be the reason? (googling around did not lead me to a solution). >> >> > Try to set 'pam_check_host_attr yes' in /etc/ldap.conf . > > --Regards > Ashishkumar S. Yadav > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >
hi, On 05/05/2015 12:02 PM, Ulrich Hiller wrote:> access_provider = ldap > ldap_access_filter = memberOf=ou=YYYY,o=XXXX > ldap_access_order = host >try instead of "ldap_access_order = host" parameter "ldap_access_filter = host='HOSTNAME' " to use regards, Kai
unfortunately i got a syntax error with this method "ldap_access_filter = host='HOSTNAME' " and sssd did not restart. i added the line ldap_user_authorized_host = host without success I have to admit that i do not have any idea where to look for the problem: - is it sssd? I have the version 1.12.2 - is it pam (something in /etc/pam.d) - is is ldap (etc/ldap.conf)? - is it /etc/nsswitch.conf? The auhtentication with username and password works. Only the host attribute is the problem. We have several opensuse boxes of different OS versions running, and ther it works very good. So i do not thing there is a problem on the ldap server. With kind regards, ulrich On 05/05/2015 03:43 PM, Kai Grunau wrote:> hi, > > On 05/05/2015 12:02 PM, Ulrich Hiller wrote: >> access_provider = ldap >> ldap_access_filter = memberOf=ou=YYYY,o=XXXX >> ldap_access_order = host >> > > > > try instead of "ldap_access_order = host" parameter > "ldap_access_filter = host='HOSTNAME' " to use > > regards, Kai > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >
On 05/05/2015 03:02 AM, Ulrich Hiller wrote:> /etc/openldap/ldap.conf contains the line: > ------------------------------------------ > pam_check_host_attr yes/etc/openldap/ldap.conf is the configuration file for openldap clients. It is not used for system authentication or name service.> 'pam_check_host_attr yes' is in /etc/openldap/ldap.conf. /etc/ldap.conf > is a softlink to that file.Those two files have completely different syntax and are used by different software. Don't symlink them.> /etc/sssd/sssd.conf: > --------------------If you're using sssd, then you're not using (or shouldn't be using) the PADL nss module. In that case, /etc/ldap.conf shouldn't even be present.> [domain/default] > access_provider = ldap > ldap_access_filter = memberOf=ou=YYYY,o=XXXX > ldap_access_order = hostldap_access_filter should be an LDAP filter, not an OU. However, it's only used when ldap_access_order=filter. When using ldap_access_order=host, it should not be present.> in /etc/nscd.conf:nscd is also not used when using sssd.> /etc/nsswitch.conf: > ................... > passwd: files sss ldap > shadow: files sss ldap > group: files sss ldapThis is wrong. Don't use sss and ldap together. It's redundant. At best it will cause performance problems. Get rid of the ldap module and see if the system starts working correctly with just sssd. It's possible that right now sssd is correctly filtering users, but the PADL ldap module is providing them.
On 05/05/2015 06:47 PM, Gordon Messmer wrote:> On 05/05/2015 03:02 AM, Ulrich Hiller wrote: >> /etc/openldap/ldap.conf contains the line: >> ------------------------------------------ >> pam_check_host_attr yes > > /etc/openldap/ldap.conf is the configuration file for openldap clients. > It is not used for system authentication or name service. > >> 'pam_check_host_attr yes' is in /etc/openldap/ldap.conf. /etc/ldap.conf >> is a softlink to that file. > > Those two files have completely different syntax and are used by > different software. Don't symlink them.i deleted the link now. /etc/ldap.conf was not present before. I gave openldap> >> /etc/sssd/sssd.conf: >> -------------------- > > If you're using sssd, then you're not using (or shouldn't be using) the > PADL nss module. In that case, /etc/ldap.conf shouldn't even be present. > >> [domain/default] >> access_provider = ldap >> ldap_access_filter = memberOf=ou=YYYY,o=XXXX >> ldap_access_order = host > > ldap_access_filter should be an LDAP filter, not an OU. However, it's > only used when ldap_access_order=filter. When using > ldap_access_order=host, it should not be present. >ldap_access_filter is now commented out.>> in /etc/nscd.conf: > > nscd is also not used when using sssd. > >> /etc/nsswitch.conf: >> ................... >> passwd: files sss ldap >> shadow: files sss ldap >> group: files sss ldap > > This is wrong. Don't use sss and ldap together. It's redundant. At > best it will cause performance problems. > > Get rid of the ldap module and see if the system starts working > correctly with just sssd. It's possible that right now sssd is > correctly filtering users, but the PADL ldap module is providing them. >This was a good hint (i should have got the idea myself). Now i set passwd: files ldap shadow: files ldap group: files ldap and got "pam_unix(sshd:auth): check pass; user unknown" the same when i set in sssd.conf services = pam So, does it mean only the NSS is providing the ldap user information, and sssd cannot read the pam information? So pam is not set up correctly? I am confused about what to do now. Do i have to configure anything else in /etc/pam.d apart from system-auth? With kind regards, ulrich