Sssd – Ldap Host Attribute Ignored

Home » CentOS » Sssd – Ldap Host Attribute Ignored
CentOS 2 Comments

Dear all,

i have a problem with sssd in conjunction with ldap on a CentOS 7 x86_64
box. ldap works fine. I can login there as an usual user registred in ldap.

I want now restrict the access with ldap’s host attribute. This is beeing ignored. Still every ldap user can login, no matter what the host attribute says. I googled around and only found that sssd.conf need two lines:
access_provider = ldap ldap_access_order = host

So i do not understand why it is not working. I append to this e-mail:
/etc/sssd/sssd.conf
/etc/ldap.conf
/etc/pamd.d/ssh

Can somebody give me hints what could be wrong?

With kind reagards and thanks a lot in advance, Ulrich

/etc/sssd/sssd.conf:
——————

2 thoughts on - Sssd – Ldap Host Attribute Ignored

  • Because ldap_access_order doesn’t include “filter”, ldap_access_filter will not be used. You can remove that.

    Aside from that, it would be helpful to see the entry for one of the users who can log in and should not be able to.

    Make sure you flush the cache before testing.

    I don’t think that file is relevant.

  • Thanks a lot for the answer. I commented out ldap_access_filter. I suppose with flush you mean ‘sss-cache -E’. I did it. But it did not help.

    The ldap entry of a user who can log in and should not be able to is below. Note: The host ‘another-node’ is a different computer than the CentOS 7 to which the USER1 can login but should not be able to. Even without the host attribute he can login.

    Thank you, ulrich

    # extended LDIF
    #
    # LDAPv3
    # base with scope subtree
    # filter: uid=USER1
    # requesting: ALL
    #

    # USER1, XXXX, YYYY
    dn: uid=USER1,ou=XXXX,o=YYYY
    accountStatus: active objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount objectClass: ibm-auxAccount objectClass: qmailUser objectClass: sambaSamAccount uid: USER1
    uidNumber: ****
    shadowFlag: 0
    shadowInactive: -1
    gidNumber: ***
    shadowMin: -1
    shadowMax: 999999
    homeDirectory: /home/USER1
    sn: USER1
    mail: USER1@my.doma.in mailHost: lmtp:unix:/var/lib/imap/socket/lmtp shadowWarning: 7
    sambaSID: *****************************************
    shadowExpire: -1
    mailAlternateAddress: USER1a cn: surname lastname gecos: surname lastname loginShell: /bin/bash host: another-node