Re: ldap host attribute is ignored

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 05/05/2015 03:02 AM, Ulrich Hiller wrote:
/etc/openldap/ldap.conf contains the line:
------------------------------------------
  pam_check_host_attr     yes

/etc/openldap/ldap.conf is the configuration file for openldap clients. It is not used for system authentication or name service.

'pam_check_host_attr yes' is in /etc/openldap/ldap.conf. /etc/ldap.conf
is a softlink to that file.

Those two files have completely different syntax and are used by different software. Don't symlink them.

/etc/sssd/sssd.conf:
--------------------

If you're using sssd, then you're not using (or shouldn't be using) the PADL nss module. In that case, /etc/ldap.conf shouldn't even be present.

[domain/default]
access_provider = ldap
ldap_access_filter = memberOf=ou=YYYY,o=XXXX
ldap_access_order = host

ldap_access_filter should be an LDAP filter, not an OU. However, it's only used when ldap_access_order=filter. When using ldap_access_order=host, it should not be present.

in /etc/nscd.conf:

nscd is also not used when using sssd.

/etc/nsswitch.conf:
...................
passwd:     files sss ldap
shadow:     files sss ldap
group:      files sss ldap

This is wrong. Don't use sss and ldap together. It's redundant. At best it will cause performance problems.

Get rid of the ldap module and see if the system starts working correctly with just sssd. It's possible that right now sssd is correctly filtering users, but the PADL ldap module is providing them.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux