search for: ldap_access_filter

unfortunately i got a syntax error with this method "ldap_access_filter = host='HOSTNAME' " and sssd did not restart. i added the line ldap_user_authorized_host = host without success I have to admit that i do not have any idea where to look for the problem: - is it sssd? I have the version 1.12.2 - is it pam (something in /etc/pam.d) - is is ldap (etc/l...

...entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/openldap/cacerts/ chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYYY,o=XXXX ldap_group_search_base = ou=YYYY,o=XXXX access_provider = ldap ldap_access_filter = memberOf=ou=YYYY,o=XXXX ldap_access_order = host /etc/pam.d/system-auth: ----------------------- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first...

...entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/openldap/cacerts/ chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYYY,o=XXXX ldap_group_search_base = ou=YYYY,o=XXXX access_provider = ldap ldap_access_filter = memberOf=ou=YYYY,o=XXXX ldap_access_order = host /etc/ldap.conf: ---------------------- # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:6...

Ulrich Hiller wrote: > that's intersting. "performing access check" is really missing. > > also the "sdap_access" lines are not there. Therefore i do have: > > (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] > (0x0400): Option ldap_access_filter has no value > (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] > (0x0400): Option ldap_access_order has value host > (Tue May 12 13:16:20 2015) [sssd[be[default]]] [be_process_init] > (0x2000): ACCESS backend target successfully loaded from provider [ldap]. <snip>...

...tc/sssd/sssd.conf: >> -------------------- > > If you're using sssd, then you're not using (or shouldn't be using) the > PADL nss module. In that case, /etc/ldap.conf shouldn't even be present. > >> [domain/default] >> access_provider = ldap >> ldap_access_filter = memberOf=ou=YYYY,o=XXXX >> ldap_access_order = host > > ldap_access_filter should be an LDAP filter, not an OU. However, it's > only used when ldap_access_order=filter. When using > ldap_access_order=host, it should not be present. > ldap_access_filter is now commen...

On 02/23/2015 03:59 AM, Ulrich Hiller wrote: > > /etc/sssd/sssd.conf: > [domain/default] > access_provider = ldap > ldap_access_filter = memberOf=ou=YYYY,o=XXXX > ldap_access_order = host Because ldap_access_order doesn't include "filter", ldap_access_filter will not be used. You can remove that. Aside from that, it would be helpful to see the entry for one of the users who can log in and should not be able t...

hi, On 05/05/2015 12:02 PM, Ulrich Hiller wrote: > access_provider = ldap > ldap_access_filter = memberOf=ou=YYYY,o=XXXX > ldap_access_order = host > try instead of "ldap_access_order = host" parameter "ldap_access_filter = host='HOSTNAME' " to use regards, Kai

Ulrich Hiller wrote: > unfortunately i got a syntax error with this method "ldap_access_filter > = host='HOSTNAME' " and sssd did not restart. > i added the line > ldap_user_authorized_host = host > without success > > I have to admit that i do not have any idea where to look for the problem: <snip> google centos "ldap_access_filter" host and a...

.... Don't symlink them. > /etc/sssd/sssd.conf: > -------------------- If you're using sssd, then you're not using (or shouldn't be using) the PADL nss module. In that case, /etc/ldap.conf shouldn't even be present. > [domain/default] > access_provider = ldap > ldap_access_filter = memberOf=ou=YYYY,o=XXXX > ldap_access_order = host ldap_access_filter should be an LDAP filter, not an OU. However, it's only used when ldap_access_order=filter. When using ldap_access_order=host, it should not be present. > in /etc/nscd.conf: nscd is also not used when using sss...

i thought this too. I think this: access_provider = ldap ldap_access_filter = memberOf=host=does-not-exist-host ldap_access_order = filter ldap_user_authorized_host = host must confuse sssd so much that it denies login. But the user without host attribute can still login. With kind regards, ulrich On 05/12/2015 09:23 PM, m.roth at 5-cent.us wrote: > Ulrich Hiller w...

Ulrich Hiller wrote: > i thought this too. > I think this: > > access_provider = ldap > ldap_access_filter = memberOf=host=does-not-exist-host > ldap_access_order = filter > ldap_user_authorized_host = host > > must confuse sssd so much that it denies login. But the user without > host attribute can still login. > Wait - are you saying that it didn't deny, but now it does? If that&...

On 05/12/2015 06:25 AM, Ulrich Hiller wrote: > > i have set logging in sssd to 9: 7 might be good enough for what you want to find. I added this to domain/default section: access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host debug_level = 7 /var/log/sssd/sssd_default.log logged the following for one user which had no "host" attribute, and was

that's intersting. "performing access check" is really missing. also the "sdap_access" lines are not there. Therefore i do have: (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_access_filter has no value (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_access_order has value host (Tue May 12 13:16:20 2015) [sssd[be[default]]] [be_process_init] (0x2000): ACCESS backend target successfully loaded from provider [ldap]. "Requesting attrs: [object...

...autofs_provider = ldap krb5_realm = # [autofs] When i stop the sssd deamon, no login at all is possible. But when i start sssd, again login is successful, independendly from what i write into ldap_access_order and ldap_user_authorized_host (if i don't commit syntax errors). I also tried with ldap_access_filter and inserting "pam_check_host_attr yes" into ldap.conf. Still the same: When username and password are correct, the host atribute is ignored. Is there another config file i have to edit? With kind regards, ulrich On 05/05/2015 11:43 PM, Gordon Messmer wrote: > On 05/05/2015 11:...

...ldap_user_shell = loginShell ldap_group_object_class = group ldap_force_upper_case_realm = True ldap_uri = ldap://192.168.192.50 ldap_search_base = dc=ad,dc=company,dc=com ldap_id_use_start_tls = false ldap_tls_reqcert = never ldap_tls_cacert = /etc/sssd/ca.company.com.crt access_provider = ldap ldap_access_filter = memberOf=cn=ServerAdmins,ou=Groups,dc=ad,dc=company,dc=com ldap_default_authtok_type = password ldap_default_bind_dn = sssd at ad.company.com ldap_default_authtok = Password1 [pam] I tried adding the sudo roles schema to active directory to see if it would resolve the sssd not starting issu...