Sssd – Ldap Host Attribute Ignored
Dear all,
i have a problem with sssd in conjunction with ldap on a CentOS 7 x86_64
box. ldap works fine. I can login there as an usual user registred in ldap.
I want now restrict the access with ldap’s host attribute. This is beeing ignored. Still every ldap user can login, no matter what the host attribute says. I googled around and only found that sssd.conf need two lines:
access_provider = ldap ldap_access_order = host
So i do not understand why it is not working. I append to this e-mail:
/etc/sssd/sssd.conf
/etc/ldap.conf
/etc/pamd.d/ssh
Can somebody give me hints what could be wrong?
With kind reagards and thanks a lot in advance, Ulrich
/etc/sssd/sssd.conf:
——————
2 thoughts on - Sssd – Ldap Host Attribute Ignored
Because ldap_access_order doesn’t include “filter”, ldap_access_filter will not be used. You can remove that.
Aside from that, it would be helpful to see the entry for one of the users who can log in and should not be able to.
Make sure you flush the cache before testing.
I don’t think that file is relevant.
Thanks a lot for the answer. I commented out ldap_access_filter. I suppose with flush you mean ‘sss-cache -E’. I did it. But it did not help.
The ldap entry of a user who can log in and should not be able to is below. Note: The host ‘another-node’ is a different computer than the CentOS 7 to which the USER1 can login but should not be able to. Even without the host attribute he can login.
Thank you, ulrich
# extended LDIF with scope subtree
#
# LDAPv3
# base
# filter: uid=USER1
# requesting: ALL
#
# USER1, XXXX, YYYY
dn: uid=USER1,ou=XXXX,o=YYYY
accountStatus: active objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount objectClass: ibm-auxAccount objectClass: qmailUser objectClass: sambaSamAccount uid: USER1
uidNumber: ****
shadowFlag: 0
shadowInactive: -1
gidNumber: ***
shadowMin: -1
shadowMax: 999999
homeDirectory: /home/USER1
sn: USER1
mail: USER1@my.doma.in mailHost: lmtp:unix:/var/lib/imap/socket/lmtp shadowWarning: 7
sambaSID: *****************************************
shadowExpire: -1
mailAlternateAddress: USER1a cn: surname lastname gecos: surname lastname loginShell: /bin/bash host: another-node