Displaying 19 results from an estimated 19 matches for "ldap_user_authorized_host".
2015 May 05
2
ldap host attribute is ignored
unfortunately i got a syntax error with this method "ldap_access_filter
= host='HOSTNAME' " and sssd did not restart.
i added the line
ldap_user_authorized_host = host
without success
I have to admit that i do not have any idea where to look for the problem:
- is it sssd? I have the version 1.12.2
- is it pam (something in /etc/pam.d)
- is is ldap (etc/ldap.conf)?
- is it /etc/nsswitch.conf?
The auhtentication with username and password works. Only the...
2015 May 06
2
ldap host attribute is ignored
...ap_id_use_start_tls = True
enumerate = False
cache_credentials = False
ldap_tls_cacertdir = /etc/ssl/certs
chpass_provider = ldap
auth_provider = ldap
ldap_tls_reqcert = never
ldap_user_search_base = ou=YYY,o=XXX
ldap_group_search_base = ou=YYY,o=XXX
access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host
autofs_provider = ldap
krb5_realm = #
[autofs]
When i stop the sssd deamon, no login at all is possible. But when i
start sssd, again login is successful, independendly from what i write
into ldap_access_order and ldap_user_authorized_host (if i don't commit
syntax errors). I also tri...
2015 May 05
4
ldap host attribute is ignored
On 05/05/2015 06:47 PM, Gordon Messmer wrote:
> On 05/05/2015 03:02 AM, Ulrich Hiller wrote:
>> /etc/openldap/ldap.conf contains the line:
>> ------------------------------------------
>> pam_check_host_attr yes
>
> /etc/openldap/ldap.conf is the configuration file for openldap clients.
> It is not used for system authentication or name service.
>
>>
2015 May 12
3
ldap host attribute is ignored
On 05/12/2015 06:25 AM, Ulrich Hiller wrote:
>
> i have set logging in sssd to 9:
7 might be good enough for what you want to find. I added this to
domain/default section:
access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host
debug_level = 7
/var/log/sssd/sssd_default.log logged the following for one user which
had no "host" attribute, and was denied login:
-----
(Tue May 12 10:35:35 2015) [sssd[be[default]]]
[sdap_get_initgr_next_base] (0x0400): Searching for users with base
[dc=private,dc=example...
2015 May 12
2
ldap host attribute is ignored
Ulrich Hiller wrote:
> that's intersting. "performing access check" is really missing.
>
> also the "sdap_access" lines are not there. Therefore i do have:
>
> (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options]
> (0x0400): Option ldap_access_filter has no value
> (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options]
> (0x0400):
2015 May 12
1
ldap host attribute is ignored
Ulrich Hiller wrote:
> i thought this too.
> I think this:
>
> access_provider = ldap
> ldap_access_filter = memberOf=host=does-not-exist-host
> ldap_access_order = filter
> ldap_user_authorized_host = host
>
> must confuse sssd so much that it denies login. But the user without
> host attribute can still login.
>
Wait - are you saying that it didn't deny, but now it does? If that's the
case, then you're almost there, just that the condition is backwards (like
sshd_confi...
2015 May 12
0
ldap host attribute is ignored
...: [host]" are in
the logfile.
So there is no access check apart from username and password check -
otherwise i would not have been able to login.
The question is why doesn't it perform these checks.
Just to repete: My sssd.conf contains
access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host
I read something about "pam_check_host_attr" in /etc/ldap.conf But this
does not help in my /etc/openldap/ldap.conf (already tested).
Any idea is still welcome.
With kind regards, ulrich
On 05/12/2015 07:45 PM, Gordon Messmer wrote:
> On 05/12/2015 06:25 AM, Ulrich Hiller...
2015 May 11
2
ldap host attribute is ignored
...= True
> enumerate = False
> cache_credentials = False
> ldap_tls_cacertdir = /etc/openldap/cacerts/
> chpass_provider = ldap
> auth_provider = ldap
> ldap_tls_reqcert = never
> ldap_user_search_base = ou=YYY,o=XXX
> access_provider = ldap
> ldap_access_order = host
> ldap_user_authorized_host = host
> autofs_provider = ldap
>
> [sssd]
> services = nss, pam, autofs
> config_file_version = 2
> domains = default
>
> [nss]
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
>
>
> My /etc/pam.d/system-auth
> #%PAM-1.0
> # T...
2015 May 07
2
ldap host attribute is ignored
...;username>
and
getent passwd
and
ldapsearch -x -b "ou=XXX,o=YYY" uid=<username>
give the correct results
ldapsearch gives also the correct host attribute i have set in the ldap
server.
Regarding the manpage of sssd.conf the lines
access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host
should be correct.
login with the wrong password gives a denied login.
login with the correct password always works.
This is my sitution since the begin of my thread.
When i login from a "wrong" host which is different than the one in the
host attribute of the ldap, i expect a m...
2015 May 11
3
ldap host attribute is ignored
On 05/09/2015 01:24 PM, Jonathan Billings wrote:
> Is it normal to have pam_unix and pam_sss twice for each each section?
No. See my previous message. I think it's the result of copying
portions of SuSE configurations.
2015 May 05
0
ldap host attribute is ignored
Ulrich Hiller wrote:
> unfortunately i got a syntax error with this method "ldap_access_filter
> = host='HOSTNAME' " and sssd did not restart.
> i added the line
> ldap_user_authorized_host = host
> without success
>
> I have to admit that i do not have any idea where to look for the problem:
<snip>
google centos "ldap_access_filter" host
and about the first hit is this thread, which may help you.
<http://serverfault.com/questions/564255/sssd-ignoring-lda...
2015 May 05
0
ldap host attribute is ignored
Hi,
I am confused about what to do now.
> Do i have to configure anything else in /etc/pam.d apart from system-auth?
>
IMO, you have to configure sssd.conf properly.
Please add "ldap_user_authorized_host = host" in your sssd.conf which you
have not configured.
After that please check again.
For more information, please refer below link.
<https://lists.fedorahosted.org/pipermail/sssd-users/2015-May/003001.html>
--Regards
Ashishkumar S. Yadav
2015 May 06
0
ldap host attribute is ignored
....
> [domain/default]
> ldap_id_use_start_tls = True
> ldap_tls_cacertdir = /etc/ssl/certs
> ldap_tls_reqcert = never
Not sure about that setting. "allow" is probably what you want if
you're using starttls.
> access_provider = ldap
> ldap_access_order = host
> ldap_user_authorized_host = host
...
> When i stop the sssd deamon, no login at all is possible.
OK. Remember that previously you had both sssd and ldap configured to
provide user information.
You'll want to watch the logs for more information.
Start by determining whether the problem is in the name service or...
2015 May 12
0
ldap host attribute is ignored
i thought this too.
I think this:
access_provider = ldap
ldap_access_filter = memberOf=host=does-not-exist-host
ldap_access_order = filter
ldap_user_authorized_host = host
must confuse sssd so much that it denies login. But the user without
host attribute can still login.
With kind regards, ulrich
On 05/12/2015 09:23 PM, m.roth at 5-cent.us wrote:
> Ulrich Hiller wrote:
>> that's intersting. "performing access check" is really missi...
2015 May 11
0
ldap host attribute is ignored
...ldap_group_uuid = entryuuid
ldap_id_use_start_tls = True
enumerate = False
cache_credentials = False
ldap_tls_cacertdir = /etc/openldap/cacerts/
chpass_provider = ldap
auth_provider = ldap
ldap_tls_reqcert = never
ldap_user_search_base = ou=YYY,o=XXX
access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host
autofs_provider = ldap
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = default
[nss]
[pam]
[sudo]
[autofs]
[ssh]
My /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth requ...
2015 May 11
0
ldap host attribute is ignored
..._id_use_start_tls = True
> enumerate = False
> cache_credentials = False
> ldap_tls_cacertdir = /etc/openldap/cacerts/ chpass_provider = ldap
> auth_provider = ldap ldap_tls_reqcert = never ldap_user_search_base =
> ou=YYY,o=XXX access_provider = ldap ldap_access_order = host
> ldap_user_authorized_host = host autofs_provider = ldap
>
> [sssd]
> services = nss, pam, autofs
> config_file_version = 2
> domains = default
>
> [nss]
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
>
>
> My /etc/pam.d/system-auth
> #%PAM-1.0
> # This f...
2015 May 11
3
ldap host attribute is ignored
On 05/11/2015 10:06 AM, Ulrich Hiller wrote:
> Hmmm...., i have made now a complete new install but the problem
> persists: ldap authentication works, but the host attribute is ignored.
Hate to say that we're running out of options. I had a CentOS 7 system
similar to yours, with LDAP authentication. I added three lines to
sssd.conf (for access provider, etc), restarted sssd, and
2015 May 08
4
ldap host attribute is ignored
>> But instead i get
>> centos: sshd[7929]: pam_unix(sshd:session): session opened for user
>> <username>
>
> "pam_unix" should be an indication that <username> appears in the local
> unix password files. Make sure that it doesn't.
Nope. None of the usernames i tried is in /etc/passwd or /etc/shadow
>
> What do /etc/pam.d/sshd and
2015 May 05
6
ldap host attribute is ignored
Dear list members,
i have installed a CentOS 7 x86_64 system. I want to let users
authenticate over our ldap server. This seems to be working.
ldap-username and ldap-passwords are accepted for the users configured
in the ldap server. No problem.
Now i want to restrict the access to users who have my centos-machine in
their ldap host attribute.
My problem is, that this host attribute seems to be