Try taking out access_provider, if I'm not mistaken that is to be used with the host attribute and pam must have pam_sss.so Another thing you can do is access_provider = simple simple_allow_users = jsmith,bjensen simple_allow_groups = itgroup Which will work for ldap groups too. Dan On May 28, 2013, at 5:45 PM, Fosiul Alam <fosiul@xxxxxxxxx> wrote: > Hi Bellow is my sssd.conf > > with bellow setting, user cant login. > but if i remove ldap_access_filter , then all user can access > > What i am doing wrong... > i just want user from "techops" group to access this server.. > > > any help will be really grateful . > > [sssd] > config_file_version = 2 > services = nss, pam > domains = LDAP > > [nss] > filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd > > [pam] > > [domain/LDAP] > id_provider = ldap > auth_provider = ldap > ldap_schema = rfc2307 > ldap_uri = ldap://auth2.xxxxxx.lan/,ldap://auth1.xxxxxxxlan/ > ldap_search_base = l=uk,dc=xxxx,dc=lan > ldap_tls_reqcert = demand > cache_credentials = true > enumerate = true > debug_level = 10 > ldap_tls_cacertdir = /etc/openldap/xxx/ > ldap_tls_cert = /etc/openldap/cacerts/CA-xxx.crt > access_provider = ldap > ldap_access_filter = memberUid=cn=techops,ou=groups,l=uk,dc=xxxx,dc=lan > #entry_cache_timeout = 600 > #ldap_network_timeout = 3 > > > and the log i get from secure file > > 2013-05-28T22:13:02.782543+01:00 uk-xxxxx-1 sshd[4172]: pam_sss(sshd:auth): received for user mtest: 9 (Authentication service cannot retrieve authentication info) > 2013-05-28T22:13:04.597478+01:00 uk-xxxx-1 sshd[4172]: Failed password for mtest from xxx.xx.xx.xx port 52664 ssh2 > > > Thanks > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
