I'm having some difficulty getting the ldap_access_filter working in sssd under centos6.5. I have a kvm client that is able to resolve all required info from the ldap server:
Code: Select all
# h
client4.olearycomputers.com
# getent passwd d
d:*:856:639:test user: d:/home/d:/bin/bash
# getent group infra
infra:*:635:d,dd,ddd,dddd
# getent group 635
infra:*:635:d,dd,ddd,dddd
Code: Select all
# ldap -search cn=infra
------------------------------------------------------------------------
dn:cn=infra,ou=groups,dc=oci,dc=com
cn: infra
objectClass: top
posixGroup
gidNumber: 635
description: System Admins
memberUid: d
dd
ddd
dddd
Code: Select all
# grep 2969[89] /var/log/secure
May 10 17:26:56 client4 sshd[29698]: Set /proc/self/oom_score_adj to 0
May 10 17:26:56 client4 sshd[29698]: Connection from 192.168.122.20 port 60180
May 10 17:26:56 client4 sshd[29698]: Failed publickey for d from 192.168.122.20 port 60180 ssh2
May 10 17:26:58 client4 sshd[29698]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ldapsvr user=d
May 10 17:26:59 client4 sshd[29698]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=ldapsvr user=d
May 10 17:26:59 client4 sshd[29698]: pam_sss(sshd:account): Access denied for user d: 6 (Permission denied)
May 10 17:26:59 client4 sshd[29698]: Failed password for d from 192.168.122.20 port 60180 ssh2
May 10 17:26:59 client4 sshd[29699]: fatal: Access denied for user d by PAM account configuration
My latest sssd.conf file is below. Could someone point in the direction of what I've messed up? Any hints/tips/suggestions greatly appreciated.
Doug O'Leary
Code: Select all
[sssd]
services = nss, pam
config_file_version = 2
domains = default
enumerate = true
[domain/default]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
#-------------------------------------------
cache_credentials = True
#-------------------------------------------
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
#-------------------------------------------
ldap_search_base = dc=oci,dc=com
ldap_user_search_base = ou=users,dc=oci,dc=com
ldap_group_search_base = ou=groups,dc=oci,dc=com
ldap_uri = ldaps://ldapsvr.olearycomputers.com
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = allow
#-------------------------------------------
ldap_access_order = filter
ldap_access_filter = memberOf=cn=infra,ou=groups,dc=oci,dc=com
# ldap_access_filter = memberOf=cn=infra
# ldap_access_filter = (|(memberOf=cn=dba,ou=groups,dc=oci,dc=com)(memberOf=cn=infra,ou=groups,dc=oci,dc=com))
[[empty sections snipped]]