that's intersting. "performing access check" is really missing. also the "sdap_access" lines are not there. Therefore i do have: (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_access_filter has no value (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options] (0x0400): Option ldap_access_order has value host (Tue May 12 13:16:20 2015) [sssd[be[default]]] [be_process_init] (0x2000): ACCESS backend target successfully loaded from provider [ldap]. "Requesting attrs: [objectClass]" and "Requesting attrs: [host]" are in the logfile. So there is no access check apart from username and password check - otherwise i would not have been able to login. The question is why doesn't it perform these checks. Just to repete: My sssd.conf contains access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host I read something about "pam_check_host_attr" in /etc/ldap.conf But this does not help in my /etc/openldap/ldap.conf (already tested). Any idea is still welcome. With kind regards, ulrich On 05/12/2015 07:45 PM, Gordon Messmer wrote: > On 05/12/2015 06:25 AM, Ulrich Hiller wrote: >> >> i have set logging in sssd to 9: > > 7 might be good enough for what you want to find. I added this to > domain/default section: > > access_provider = ldap > ldap_access_order = host > ldap_user_authorized_host = host > debug_level = 7 > > /var/log/sssd/sssd_default.log logged the following for one user which > had no "host" attribute, and was denied login: > > ----- > (Tue May 12 10:35:35 2015) [sssd[be[default]]] > [sdap_get_initgr_next_base] (0x0400): Searching for users with base > [dc=private,dc=example,dc=net] > (Tue May 12 10:35:35 2015) [sssd[be[default]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(uid=gordon)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=private,dc=example,dc=net]. > > (Tue May 12 10:35:35 2015) [sssd[be[default]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > ... > (Tue May 12 10:35:35 2015) [sssd[be[default]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] > ----- > > So, the user lookup definitely requested the host attribute. > > The authentication process logs to the same file: > > ----- > (Tue May 12 10:35:36 2015) [sssd[be[default]]] [be_pam_handler] > (0x0100): Got request with the following data > (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] > (0x0100): command: PAM_ACCT_MGMT > (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] > (0x0100): domain: default > (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] > (0x0100): user: gordon > (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] > (0x0100): service: sshd > (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] > (0x0100): tty: ssh > (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] > (0x0100): ruser: > (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] > (0x0100): rhost: 10.1.10.41 > (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] > (0x0100): authtok type: 0 > (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] > (0x0100): priv: 1 > (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] > (0x0100): cli_pid: 7871 > (Tue May 12 10:35:36 2015) [sssd[be[default]]] [sdap_access_send] > (0x0400): Performing access check for user [gordon] > (Tue May 12 10:35:36 2015) [sssd[be[default]]] [sdap_access_host] > (0x0020): Missing hosts. Access denied > ----- > > Your log excerpt did not include "performing access check". I don't > know if that's because it isn't in your log or because your excerpt was > too short. > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos