Ulrich Hiller wrote:> that's intersting. "performing access check" is really missing. > > also the "sdap_access" lines are not there. Therefore i do have: > > (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] > (0x0400): Option ldap_access_filter has no value > (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] > (0x0400): Option ldap_access_order has value host > (Tue May 12 13:16:20 2015) [sssd[be[default]]] [be_process_init] > (0x2000): ACCESS backend target successfully loaded from provider [ldap].<snip> I really don't know this level, but from the above, my first reaction is to see if there has to be an ldab_access_filter that then leads to the ldap_access_order in the chain. mark
i thought this too. I think this: access_provider = ldap ldap_access_filter = memberOf=host=does-not-exist-host ldap_access_order = filter ldap_user_authorized_host = host must confuse sssd so much that it denies login. But the user without host attribute can still login. With kind regards, ulrich On 05/12/2015 09:23 PM, m.roth at 5-cent.us wrote:> Ulrich Hiller wrote: >> that's intersting. "performing access check" is really missing. >> >> also the "sdap_access" lines are not there. Therefore i do have: >> >> (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] >> (0x0400): Option ldap_access_filter has no value >> (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] >> (0x0400): Option ldap_access_order has value host >> (Tue May 12 13:16:20 2015) [sssd[be[default]]] [be_process_init] >> (0x2000): ACCESS backend target successfully loaded from provider [ldap]. > <snip> > I really don't know this level, but from the above, my first reaction is > to see if there has to be an ldab_access_filter that then leads to the > ldap_access_order in the chain. > > mark > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >
Ulrich Hiller wrote:> i thought this too. > I think this: > > access_provider = ldap > ldap_access_filter = memberOf=host=does-not-exist-host > ldap_access_order = filter > ldap_user_authorized_host = host > > must confuse sssd so much that it denies login. But the user without > host attribute can still login. >Wait - are you saying that it didn't deny, but now it does? If that's the case, then you're almost there, just that the condition is backwards (like sshd_config, with PermitRootLogin Without-Password means that you have to use a key, not that it permits root to come in without a password.... mark