Re: ldap host attribute is ignored

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 05/08/2015 08:14 AM, Ulrich Hiller wrote:
With kind regards, ulrich

Hm. I don't *see* the problem, so let me go about this in the opposite direction. I added the host controls to one of my systems, and they appear to work properly.

My configuration files were *mostly* written by "authconfig". It looks like you've done some manual tweaking with YaST examples. Some of the PAM stuff looks like it was tacked-on at the end of a sequence without understanding how PAM flow control works.

(Minor aside: you may have used authconfig --enablemd5, which weakens security somewhat. I believe the default is equivalent to authconfig --passalgo=sha256)

Your sssh pam file referenced password-auth (/etc/pam.d/password-auth) which should be a separate file from system-auth, but should have identical content.

I recommend starting with a completely clean system, setting up authentication with authconfig, and then modifying sssd.conf one setting at a time as you work toward your desired configuration.



/etc/sss/sssd.conf:

------

[domain/default]

autofs_provider = ldap
cache_credentials = True
krb5_realm = PRIVATE.EXAMPLE.NET
ldap_search_base = dc=private,dc=example,dc=net
krb5_server = directory.private.example.net:88
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://directory.private.example.net/
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_store_password_if_offline = True
krb5_kpasswd = directory.private.example.net:749

access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host

[sssd]
services = nss, pam, autofs
config_file_version = 2

domains = default
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]

------

/etc/pam.d/system-auth-ac

------

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha256 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

------

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux