CentOS - May 2015 - ldap host attribute is ignored

Dear list members,

i have installed a CentOS 7 x86_64 system. I want to let users
authenticate over our ldap server. This seems to be working.
ldap-username and ldap-passwords are accepted for the users configured
in the ldap server. No problem.

Now i want to restrict the access to users who have my centos-machine in
their ldap host attribute.

My problem is, that this host attribute seems to be ignored. Any ldap
user, independent from the host attribute, still can login in.

What could be the reason? (googling around did not lead me to a solution).

The cache is already flushed.

Here is my configuration:

/etc/openldap/ldap.conf contains the line:
------------------------------------------
 pam_check_host_attr     yes

/etc/sssd/sssd.conf:
--------------------
[sssd]
config_file_version = 2
services = nss, pam, autofs
domains = default
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
# domains = LDAP

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/default]
ldap_uri = ldap://myldapserver.mydomain
ldap_search_base = o=XXXX
ldap_schema = rfc2307bis
id_provider = ldap
ldap_user_uuid = entryuuid
ldap_group_uuid = entryuuid
ldap_id_use_start_tls = True
enumerate = False
cache_credentials = False
ldap_tls_cacertdir = /etc/openldap/cacerts/
chpass_provider = ldap
auth_provider = ldap
ldap_tls_reqcert = never
ldap_user_search_base = ou=YYYY,o=XXXX
ldap_group_search_base = ou=YYYY,o=XXXX

access_provider = ldap
ldap_access_filter = memberOf=ou=YYYY,o=XXXX
ldap_access_order = host


/etc/pam.d/system-auth:
-----------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 200 quiet_success
#auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_sss.so      use_first_pass
auth        required      pam_deny.so
auth    sufficient      pam_unix.so     try_first_pass

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 2000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass
local_users_only retry=3 authtok_typepassword    sufficient    pam_unix.so md5
shadow nullok try_first_pass
use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so


in /etc/nscd.conf:
------------------
enable-cache            passwd          no
enable-cache            group           no
enable-cache            hosts           no
enable-cache            services        no
enable-cache            netgroup        no


/etc/nsswitch.conf:
...................
passwd:     files sss ldap
shadow:     files sss ldap
group:      files sss ldap
#initgroups: files

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss ldap

publickey:  nisplus

automount:  files sss ldap
aliases:    files nisplus


The ldap attributes of the user who can login, but should not:
--------------------------------------------------------------

dn: uid=USER1,ou=XXXX,o=YYYY
accountStatus: active
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: ibm-auxAccount
objectClass: qmailUser
objectClass: sambaSamAccount
uid: USER1
uidNumber: ****
shadowFlag: 0
shadowInactive: -1
gidNumber: ***
shadowMin: -1
shadowMax: 999999
homeDirectory: /home/USER1
sn: USER1
mail: USER1 at my.doma.in
mailHost: lmtp:unix:/var/lib/imap/socket/lmtp
shadowWarning: 7
sambaSID: *****************************************
shadowExpire: -1
mailAlternateAddress: USER1a
cn: surname lastname
gecos: surname lastname
loginShell: /bin/bash
host: another-node


What information is still missing?

Any hint is welcome.

Thank you in advance, ulrich

Hi,

On Tue, May 5, 2015 at 3:32 PM, Ulrich Hiller <hiller at mpia-hd.mpg.de>
wrote:
> Dear list members,
>
> i have installed a CentOS 7 x86_64 system. I want to let users
> authenticate over our ldap server. This seems to be working.
> ldap-username and ldap-passwords are accepted for the users configured
> in the ldap server. No problem.
>
> Now i want to restrict the access to users who have my centos-machine in
> their ldap host attribute.
>
> My problem is, that this host attribute seems to be ignored. Any ldap
> user, independent from the host attribute, still can login in.
>
> What could be the reason? (googling around did not lead me to a solution).
>
>
Try to set 'pam_check_host_attr yes' in /etc/ldap.conf .

--Regards
Ashishkumar S. Yadav

Hi,

'pam_check_host_attr yes' is in /etc/openldap/ldap.conf. /etc/ldap.conf
is a softlink to that file.

But still the host attribute is ignored.

With kind regards, ulrich


On 05/05/2015 12:32 PM, Ashish Yadav wrote:
> Hi,
> 
> On Tue, May 5, 2015 at 3:32 PM, Ulrich Hiller <hiller at
mpia-hd.mpg.de> wrote:
> 
>> Dear list members,
>>
>> i have installed a CentOS 7 x86_64 system. I want to let users
>> authenticate over our ldap server. This seems to be working.
>> ldap-username and ldap-passwords are accepted for the users configured
>> in the ldap server. No problem.
>>
>> Now i want to restrict the access to users who have my centos-machine
in
>> their ldap host attribute.
>>
>> My problem is, that this host attribute seems to be ignored. Any ldap
>> user, independent from the host attribute, still can login in.
>>
>> What could be the reason? (googling around did not lead me to a
solution).
>>
>>
> Try to set 'pam_check_host_attr yes' in /etc/ldap.conf .
> 
> --Regards
> Ashishkumar S. Yadav
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
>

hi,

On 05/05/2015 12:02 PM, Ulrich Hiller wrote:
> access_provider = ldap
> ldap_access_filter = memberOf=ou=YYYY,o=XXXX
> ldap_access_order = host
>


try  instead of  "ldap_access_order = host"  parameter 
"ldap_access_filter = host='HOSTNAME' " to use

regards, Kai

unfortunately i got a syntax error with this method "ldap_access_filter
= host='HOSTNAME' " and sssd did not restart.
i added the line
ldap_user_authorized_host = host
without success

I have to admit that i do not have any idea where to look for the problem:

- is it sssd? I have the version 1.12.2
- is it pam (something in /etc/pam.d)
- is is ldap (etc/ldap.conf)?
- is it /etc/nsswitch.conf?

The auhtentication with username and password works. Only the host
attribute is the problem.

We have several opensuse boxes of different OS versions running, and
ther it works very good. So i do not thing there is a problem on the
ldap server.


With kind regards, ulrich


On 05/05/2015 03:43 PM, Kai Grunau wrote:
> hi,
> 
> On 05/05/2015 12:02 PM, Ulrich Hiller wrote:
>> access_provider = ldap
>> ldap_access_filter = memberOf=ou=YYYY,o=XXXX
>> ldap_access_order = host
>>
> 
> 
> 
> try  instead of  "ldap_access_order = host"  parameter
> "ldap_access_filter = host='HOSTNAME' " to use
> 
> regards, Kai
> 
> 
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
>

On 05/05/2015 03:02 AM, Ulrich Hiller wrote:
> /etc/openldap/ldap.conf contains the line:
> ------------------------------------------
>   pam_check_host_attr     yes
/etc/openldap/ldap.conf is the configuration file for openldap clients.  
It is not used for system authentication or name service.
> 'pam_check_host_attr yes' is in /etc/openldap/ldap.conf.
/etc/ldap.conf
> is a softlink to that file.
Those two files have completely different syntax and are used by 
different software.  Don't symlink them.
> /etc/sssd/sssd.conf:
> --------------------
If you're using sssd, then you're not using (or shouldn't be using)
the
PADL nss module.  In that case, /etc/ldap.conf shouldn't even be present.
> [domain/default]
> access_provider = ldap
> ldap_access_filter = memberOf=ou=YYYY,o=XXXX
> ldap_access_order = host
ldap_access_filter should be an LDAP filter, not an OU.  However, it's 
only used when ldap_access_order=filter.  When using 
ldap_access_order=host, it should not be present.
> in /etc/nscd.conf:
nscd is also not used when using sssd.
> /etc/nsswitch.conf:
> ...................
> passwd:     files sss ldap
> shadow:     files sss ldap
> group:      files sss ldap
This is wrong.  Don't use sss and ldap together.  It's redundant. At 
best it will cause performance problems.

Get rid of the ldap module and see if the system starts working 
correctly with just sssd.  It's possible that right now sssd is 
correctly filtering users, but the PADL ldap module is providing them.

On 05/05/2015 06:47 PM, Gordon Messmer wrote:
> On 05/05/2015 03:02 AM, Ulrich Hiller wrote:
>> /etc/openldap/ldap.conf contains the line:
>> ------------------------------------------
>>   pam_check_host_attr     yes
> 
> /etc/openldap/ldap.conf is the configuration file for openldap clients. 
> It is not used for system authentication or name service.
> 
>> 'pam_check_host_attr yes' is in /etc/openldap/ldap.conf.
/etc/ldap.conf
>> is a softlink to that file.
> 
> Those two files have completely different syntax and are used by
> different software.  Don't symlink them.
i deleted the link now. /etc/ldap.conf was not present before. I gave
openldap

> 
>> /etc/sssd/sssd.conf:
>> --------------------
> 
> If you're using sssd, then you're not using (or shouldn't be
using) the
> PADL nss module.  In that case, /etc/ldap.conf shouldn't even be
present.
> 
>> [domain/default]
>> access_provider = ldap
>> ldap_access_filter = memberOf=ou=YYYY,o=XXXX
>> ldap_access_order = host
> 
> ldap_access_filter should be an LDAP filter, not an OU.  However, it's
> only used when ldap_access_order=filter.  When using
> ldap_access_order=host, it should not be present.
> 

ldap_access_filter is now commented out.

>> in /etc/nscd.conf:
> 
> nscd is also not used when using sssd.
> 
>> /etc/nsswitch.conf:
>> ...................
>> passwd:     files sss ldap
>> shadow:     files sss ldap
>> group:      files sss ldap
> 
> This is wrong.  Don't use sss and ldap together.  It's redundant.
At
> best it will cause performance problems.
> 
> Get rid of the ldap module and see if the system starts working
> correctly with just sssd.  It's possible that right now sssd is
> correctly filtering users, but the PADL ldap module is providing them.
> 

This was a good hint (i should have got the idea myself).
Now i set
passwd:     files ldap
shadow:     files ldap
group:      files ldap

and got "pam_unix(sshd:auth): check pass; user unknown"
the same when i set in sssd.conf
services = pam

So, does it mean only the NSS is providing the ldap user information,
and sssd cannot read the pam information? So pam is not set up correctly?

I am confused about what to do now.
Do i have to configure anything else in /etc/pam.d apart from system-auth?

With kind regards, ulrich