Re: User unable to login with ldap_access_filter on

Jonathan Vaughn <jonathan@xxxxxxxxxxxxx> · Wed, 29 May 2013 12:58:03 -0500

If you have the memberOf plugin enabled (and appropriate objectclasses on your accounts), you can use the following ldap_access_filter rule:

ldap_access_filter = memberOf=cn=techops,ou=groups,l=uk,dc=xxxx,dc=lan

That is how we have it set up. Basically, we let 389DS handle generating memberOf attributes for all user accounts via the plugin, and when SSSD checks the user account it uses that filter to see if there is a value of memberOf that is equal to the group we want to allow access to (in your case cn=techops,ou=groups,l=uk,dc=xxxx,dc=lan). 

I believe SSSD is only checking attributes / values on the LDAP entry for the user trying to log in, so I don't think you can have it check for membership entries in the group itself.

On Wed, May 29, 2013 at 8:41 AM, Dan Lavu <dan@xxxxxxxx> wrote:

Try taking out access_provider, if I'm not mistaken that is to be used with the host attribute and pam must have pam_sss.so

Another thing you can do is

access_provider = simple

simple_allow_users = jsmith,bjensen

simple_allow_groups = itgroup

Which will work for ldap groups too.

Dan

On May 28, 2013, at 5:45 PM, Fosiul Alam <fosiul@xxxxxxxxx> wrote:

> Hi Bellow is my sssd.conf

>

> with bellow setting, user cant login.

> but if i remove ldap_access_filter , then all user can access

>

> What i am doing wrong...

> i just want user from "techops" group to access this server..

>

>

> any help will be really grateful .

>

> [sssd]

> config_file_version = 2

> services = nss, pam

> domains = LDAP

>

> [nss]

> filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd

>

> [pam]

>

> [domain/LDAP]

> id_provider = ldap

> auth_provider = ldap

> ldap_schema = rfc2307

> ldap_uri = ldap://auth2.xxxxxx.lan/,ldap://auth1.xxxxxxxlan/

> ldap_search_base = l=uk,dc=xxxx,dc=lan

> ldap_tls_reqcert = demand

> cache_credentials = true

> enumerate = true

> debug_level = 10

> ldap_tls_cacertdir = /etc/openldap/xxx/

> ldap_tls_cert = /etc/openldap/cacerts/CA-xxx.crt

> access_provider = ldap

> ldap_access_filter = memberUid=cn=techops,ou=groups,l=uk,dc=xxxx,dc=lan

> #entry_cache_timeout = 600

> #ldap_network_timeout = 3

>

>

> and the log i get from secure  file

>

> 2013-05-28T22:13:02.782543+01:00 uk-xxxxx-1 sshd[4172]: pam_sss(sshd:auth): received for user mtest: 9 (Authentication service cannot retrieve authentication info)

> 2013-05-28T22:13:04.597478+01:00 uk-xxxx-1 sshd[4172]: Failed password for mtest from xxx.xx.xx.xx port 52664 ssh2

>

>

> Thanks

>

> --

> 389 users mailing list

> 389-users@xxxxxxxxxxxxxxxxxxxxxxx

> https://admin.fedoraproject.org/mailman/listinfo/389-users

--

389 users mailing list

389-users@xxxxxxxxxxxxxxxxxxxxxxx

https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users