search for: ldap_access_ord

...> also the "sdap_access" lines are not there. Therefore i do have: > > (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] > (0x0400): Option ldap_access_filter has no value > (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] > (0x0400): Option ldap_access_order has value host > (Tue May 12 13:16:20 2015) [sssd[be[default]]] [be_process_init] > (0x2000): ACCESS backend target successfully loaded from provider [ldap]. <snip> I really don't know this level, but from the above, my first reaction is to see if there has to be an ldab_access_fi...

...rate = False cache_credentials = False ldap_tls_cacertdir = /etc/openldap/cacerts/ chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYYY,o=XXXX ldap_group_search_base = ou=YYYY,o=XXXX access_provider = ldap ldap_access_filter = memberOf=ou=YYYY,o=XXXX ldap_access_order = host /etc/pam.d/system-auth: ----------------------- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succee...

...can login there as an usual user registred in ldap. I want now restrict the access with ldap's host attribute. This is beeing ignored. Still every ldap user can login, no matter what the host attribute says. I googled around and only found that sssd.conf need two lines: access_provider = ldap ldap_access_order = host So i do not understand why it is not working. I append to this e-mail: /etc/sssd/sssd.conf /etc/ldap.conf /etc/pamd.d/ssh Can somebody give me hints what could be wrong? With kind reagards and thanks a lot in advance, Ulrich /etc/sssd/sssd.conf: -------------------- [sssd] config_file_...

On 05/12/2015 06:25 AM, Ulrich Hiller wrote: > > i have set logging in sssd to 9: 7 might be good enough for what you want to find. I added this to domain/default section: access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host debug_level = 7 /var/log/sssd/sssd_default.log logged the following for one user which had no "host" attribute, and was denied login: ----- (Tue May 12 10:35:35 2015) [sssd[be[default]]] [sdap_get_initgr_next_base] (0x0400): Searching for user...

...nf: > -------------------- If you're using sssd, then you're not using (or shouldn't be using) the PADL nss module. In that case, /etc/ldap.conf shouldn't even be present. > [domain/default] > access_provider = ldap > ldap_access_filter = memberOf=ou=YYYY,o=XXXX > ldap_access_order = host ldap_access_filter should be an LDAP filter, not an OU. However, it's only used when ldap_access_order=filter. When using ldap_access_order=host, it should not be present. > in /etc/nscd.conf: nscd is also not used when using sssd. > /etc/nsswitch.conf: > ................

i thought this too. I think this: access_provider = ldap ldap_access_filter = memberOf=host=does-not-exist-host ldap_access_order = filter ldap_user_authorized_host = host must confuse sssd so much that it denies login. But the user without host attribute can still login. With kind regards, ulrich On 05/12/2015 09:23 PM, m.roth at 5-cent.us wrote: > Ulrich Hiller wrote: >> that's intersting. "performi...

...> If you're using sssd, then you're not using (or shouldn't be using) the > PADL nss module. In that case, /etc/ldap.conf shouldn't even be present. > >> [domain/default] >> access_provider = ldap >> ldap_access_filter = memberOf=ou=YYYY,o=XXXX >> ldap_access_order = host > > ldap_access_filter should be an LDAP filter, not an OU. However, it's > only used when ldap_access_order=filter. When using > ldap_access_order=host, it should not be present. > ldap_access_filter is now commented out. >> in /etc/nscd.conf: > > n...

...eck" is really missing. also the "sdap_access" lines are not there. Therefore i do have: (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_access_filter has no value (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_access_order has value host (Tue May 12 13:16:20 2015) [sssd[be[default]]] [be_process_init] (0x2000): ACCESS backend target successfully loaded from provider [ldap]. "Requesting attrs: [objectClass]" and "Requesting attrs: [host]" are in the logfile. So there is no access check apart...

...group_uuid = entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/ssl/certs chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYY,o=XXX ldap_group_search_base = ou=YYY,o=XXX access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host autofs_provider = ldap krb5_realm = # [autofs] When i stop the sssd deamon, no login at all is possible. But when i start sssd, again login is successful, independendly from what i write into ldap_access_order and ldap_user_authorized_host (if i don'...

..._user_search_base = dc=xx,dc=xx ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_search_base = dc=xx,dc=xx ldap_group_object_class = group ldap_group_member = memberOf access_provider = simple simple_allow_groups = IT ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true [domain/default] cache_credentials = False

On 02/23/2015 03:59 AM, Ulrich Hiller wrote: > > /etc/sssd/sssd.conf: > [domain/default] > access_provider = ldap > ldap_access_filter = memberOf=ou=YYYY,o=XXXX > ldap_access_order = host Because ldap_access_order doesn't include "filter", ldap_access_filter will not be used. You can remove that. Aside from that, it would be helpful to see the entry for one of the users who can log in and should not be able to. Make sure you flush the cache before testin...

hi, On 05/05/2015 12:02 PM, Ulrich Hiller wrote: > access_provider = ldap > ldap_access_filter = memberOf=ou=YYYY,o=XXXX > ldap_access_order = host > try instead of "ldap_access_order = host" parameter "ldap_access_filter = host='HOSTNAME' " to use regards, Kai

...very good. So i do not thing there is a problem on the ldap server. With kind regards, ulrich On 05/05/2015 03:43 PM, Kai Grunau wrote: > hi, > > On 05/05/2015 12:02 PM, Ulrich Hiller wrote: >> access_provider = ldap >> ldap_access_filter = memberOf=ou=YYYY,o=XXXX >> ldap_access_order = host >> > > > > try instead of "ldap_access_order = host" parameter > "ldap_access_filter = host='HOSTNAME' " to use > > regards, Kai > > > > _______________________________________________ > CentOS mailing list &gt...

Ulrich Hiller wrote: > i thought this too. > I think this: > > access_provider = ldap > ldap_access_filter = memberOf=host=does-not-exist-host > ldap_access_order = filter > ldap_user_authorized_host = host > > must confuse sssd so much that it denies login. But the user without > host attribute can still login. > Wait - are you saying that it didn't deny, but now it does? If that's the case, then you're almost there, just that t...

...p_user_principal = userPrincipalName > > ldap_group_search_base = dc=xx,dc=xx > > ldap_group_object_class = group > > ldap_group_member = memberOf > > access_provider = simple > > > > > > > > simple_allow_groups = IT > > > > > > ldap_access_order = expire > > ldap_account_expire_policy = ad > > ldap_force_upper_case_realm = true > > [domain/default] > > cache_credentials = False > > > > The error message is pretty clear. Samba now requires SSL/TLS for LDAP > binds. Once you have enabled TLS in sssd...

...uid > ldap_id_use_start_tls = True > enumerate = False > cache_credentials = False > ldap_tls_cacertdir = /etc/openldap/cacerts/ > chpass_provider = ldap > auth_provider = ldap > ldap_tls_reqcert = never > ldap_user_search_base = ou=YYY,o=XXX > access_provider = ldap > ldap_access_order = host > ldap_user_authorized_host = host > autofs_provider = ldap > > [sssd] > services = nss, pam, autofs > config_file_version = 2 > domains = default > > [nss] > > [pam] > > [sudo] > > [autofs] > > [ssh] > > > > My /etc/p...

...s available" id <username> and getent passwd and ldapsearch -x -b "ou=XXX,o=YYY" uid=<username> give the correct results ldapsearch gives also the correct host attribute i have set in the ldap server. Regarding the manpage of sssd.conf the lines access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host should be correct. login with the wrong password gives a denied login. login with the correct password always works. This is my sitution since the begin of my thread. When i login from a "wrong" host which is different than the one in the host...

...= dc=xx,dc=xx >>>> ldap_group_object_class = group >>>> ldap_group_member = memberOf >>>> access_provider = simple >>>> >>>> >>>> >>>> simple_allow_groups = IT >>>> >>>> >>>> ldap_access_order = expire >>>> ldap_account_expire_policy = ad >>>> ldap_force_upper_case_realm = true >>>> [domain/default] >>>> cache_credentials = False >>>> >>> >>> The error message is pretty clear. Samba now requires SSL/TLS for...

On 05/09/2015 01:24 PM, Jonathan Billings wrote: > Is it normal to have pam_unix and pam_sss twice for each each section? No. See my previous message. I think it's the result of copying portions of SuSE configurations.

...bly don't need to set them. > [domain/default] > ldap_id_use_start_tls = True > ldap_tls_cacertdir = /etc/ssl/certs > ldap_tls_reqcert = never Not sure about that setting. "allow" is probably what you want if you're using starttls. > access_provider = ldap > ldap_access_order = host > ldap_user_authorized_host = host ... > When i stop the sssd deamon, no login at all is possible. OK. Remember that previously you had both sssd and ldap configured to provide user information. You'll want to watch the logs for more information. Start by determining whether...