search for: ldap_user_authorized_host

unfortunately i got a syntax error with this method "ldap_access_filter = host='HOSTNAME' " and sssd did not restart. i added the line ldap_user_authorized_host = host without success I have to admit that i do not have any idea where to look for the problem: - is it sssd? I have the version 1.12.2 - is it pam (something in /etc/pam.d) - is is ldap (etc/ldap.conf)? - is it /etc/nsswitch.conf? The auhtentication with username and password works. Only the...

...ap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/ssl/certs chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYY,o=XXX ldap_group_search_base = ou=YYY,o=XXX access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host autofs_provider = ldap krb5_realm = # [autofs] When i stop the sssd deamon, no login at all is possible. But when i start sssd, again login is successful, independendly from what i write into ldap_access_order and ldap_user_authorized_host (if i don't commit syntax errors). I also tri...

On 05/05/2015 06:47 PM, Gordon Messmer wrote: > On 05/05/2015 03:02 AM, Ulrich Hiller wrote: >> /etc/openldap/ldap.conf contains the line: >> ------------------------------------------ >> pam_check_host_attr yes > > /etc/openldap/ldap.conf is the configuration file for openldap clients. > It is not used for system authentication or name service. > >>

On 05/12/2015 06:25 AM, Ulrich Hiller wrote: > > i have set logging in sssd to 9: 7 might be good enough for what you want to find. I added this to domain/default section: access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host debug_level = 7 /var/log/sssd/sssd_default.log logged the following for one user which had no "host" attribute, and was denied login: ----- (Tue May 12 10:35:35 2015) [sssd[be[default]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [dc=private,dc=example...

Ulrich Hiller wrote: > that's intersting. "performing access check" is really missing. > > also the "sdap_access" lines are not there. Therefore i do have: > > (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] > (0x0400): Option ldap_access_filter has no value > (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] > (0x0400):

Ulrich Hiller wrote: > i thought this too. > I think this: > > access_provider = ldap > ldap_access_filter = memberOf=host=does-not-exist-host > ldap_access_order = filter > ldap_user_authorized_host = host > > must confuse sssd so much that it denies login. But the user without > host attribute can still login. > Wait - are you saying that it didn't deny, but now it does? If that's the case, then you're almost there, just that the condition is backwards (like sshd_confi...

...: [host]" are in the logfile. So there is no access check apart from username and password check - otherwise i would not have been able to login. The question is why doesn't it perform these checks. Just to repete: My sssd.conf contains access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host I read something about "pam_check_host_attr" in /etc/ldap.conf But this does not help in my /etc/openldap/ldap.conf (already tested). Any idea is still welcome. With kind regards, ulrich On 05/12/2015 07:45 PM, Gordon Messmer wrote: > On 05/12/2015 06:25 AM, Ulrich Hiller...

...= True > enumerate = False > cache_credentials = False > ldap_tls_cacertdir = /etc/openldap/cacerts/ > chpass_provider = ldap > auth_provider = ldap > ldap_tls_reqcert = never > ldap_user_search_base = ou=YYY,o=XXX > access_provider = ldap > ldap_access_order = host > ldap_user_authorized_host = host > autofs_provider = ldap > > [sssd] > services = nss, pam, autofs > config_file_version = 2 > domains = default > > [nss] > > [pam] > > [sudo] > > [autofs] > > [ssh] > > > > My /etc/pam.d/system-auth > #%PAM-1.0 > # T...

...;username> and getent passwd and ldapsearch -x -b "ou=XXX,o=YYY" uid=<username> give the correct results ldapsearch gives also the correct host attribute i have set in the ldap server. Regarding the manpage of sssd.conf the lines access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host should be correct. login with the wrong password gives a denied login. login with the correct password always works. This is my sitution since the begin of my thread. When i login from a "wrong" host which is different than the one in the host attribute of the ldap, i expect a m...

On 05/09/2015 01:24 PM, Jonathan Billings wrote: > Is it normal to have pam_unix and pam_sss twice for each each section? No. See my previous message. I think it's the result of copying portions of SuSE configurations.

Ulrich Hiller wrote: > unfortunately i got a syntax error with this method "ldap_access_filter > = host='HOSTNAME' " and sssd did not restart. > i added the line > ldap_user_authorized_host = host > without success > > I have to admit that i do not have any idea where to look for the problem: <snip> google centos "ldap_access_filter" host and about the first hit is this thread, which may help you. <http://serverfault.com/questions/564255/sssd-ignoring-lda...

Hi, I am confused about what to do now. > Do i have to configure anything else in /etc/pam.d apart from system-auth? > IMO, you have to configure sssd.conf properly. Please add "ldap_user_authorized_host = host" in your sssd.conf which you have not configured. After that please check again. For more information, please refer below link. <https://lists.fedorahosted.org/pipermail/sssd-users/2015-May/003001.html> --Regards Ashishkumar S. Yadav

.... > [domain/default] > ldap_id_use_start_tls = True > ldap_tls_cacertdir = /etc/ssl/certs > ldap_tls_reqcert = never Not sure about that setting. "allow" is probably what you want if you're using starttls. > access_provider = ldap > ldap_access_order = host > ldap_user_authorized_host = host ... > When i stop the sssd deamon, no login at all is possible. OK. Remember that previously you had both sssd and ldap configured to provide user information. You'll want to watch the logs for more information. Start by determining whether the problem is in the name service or...

i thought this too. I think this: access_provider = ldap ldap_access_filter = memberOf=host=does-not-exist-host ldap_access_order = filter ldap_user_authorized_host = host must confuse sssd so much that it denies login. But the user without host attribute can still login. With kind regards, ulrich On 05/12/2015 09:23 PM, m.roth at 5-cent.us wrote: > Ulrich Hiller wrote: >> that's intersting. "performing access check" is really missi...

...ldap_group_uuid = entryuuid ldap_id_use_start_tls = True enumerate = False cache_credentials = False ldap_tls_cacertdir = /etc/openldap/cacerts/ chpass_provider = ldap auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = ou=YYY,o=XXX access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host autofs_provider = ldap [sssd] services = nss, pam, autofs config_file_version = 2 domains = default [nss] [pam] [sudo] [autofs] [ssh] My /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth requ...

..._id_use_start_tls = True > enumerate = False > cache_credentials = False > ldap_tls_cacertdir = /etc/openldap/cacerts/ chpass_provider = ldap > auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base = > ou=YYY,o=XXX access_provider = ldap ldap_access_order = host > ldap_user_authorized_host = host autofs_provider = ldap > > [sssd] > services = nss, pam, autofs > config_file_version = 2 > domains = default > > [nss] > > [pam] > > [sudo] > > [autofs] > > [ssh] > > > > My /etc/pam.d/system-auth > #%PAM-1.0 > # This f...

On 05/11/2015 10:06 AM, Ulrich Hiller wrote: > Hmmm...., i have made now a complete new install but the problem > persists: ldap authentication works, but the host attribute is ignored. Hate to say that we're running out of options. I had a CentOS 7 system similar to yours, with LDAP authentication. I added three lines to sssd.conf (for access provider, etc), restarted sssd, and

>> But instead i get >> centos: sshd[7929]: pam_unix(sshd:session): session opened for user >> <username> > > "pam_unix" should be an indication that <username> appears in the local > unix password files. Make sure that it doesn't. Nope. None of the usernames i tried is in /etc/passwd or /etc/shadow > > What do /etc/pam.d/sshd and

Dear list members, i have installed a CentOS 7 x86_64 system. I want to let users authenticate over our ldap server. This seems to be working. ldap-username and ldap-passwords are accepted for the users configured in the ldap server. No problem. Now i want to restrict the access to users who have my centos-machine in their ldap host attribute. My problem is, that this host attribute seems to be