centos 6.5/sssd and ldap_access_filter

[dkoleary]

Hey;

I'm having some difficulty getting the ldap_access_filter working in sssd under centos6.5. I have a kvm client that is able to resolve all required info from the ldap server:

Code: Select all

# h
client4.olearycomputers.com
# getent passwd d
d:*:856:639:test user: d:/home/d:/bin/bash
# getent group infra
infra:*:635:d,dd,ddd,dddd
# getent group 635
infra:*:635:d,dd,ddd,dddd

I'm trying to limit access to the system to members of the infra group:

Code: Select all

# ldap -search cn=infra
------------------------------------------------------------------------
dn:cn=infra,ou=groups,dc=oci,dc=com

         cn: infra
objectClass: top
             posixGroup
  gidNumber: 635
description: System Admins
  memberUid: d
             dd
             ddd
             dddd

However, every access attempt, regardless of group membership, results in an access denied message.

Code: Select all

# grep 2969[89] /var/log/secure
May 10 17:26:56 client4 sshd[29698]: Set /proc/self/oom_score_adj to 0
May 10 17:26:56 client4 sshd[29698]: Connection from 192.168.122.20 port 60180
May 10 17:26:56 client4 sshd[29698]: Failed publickey for d from 192.168.122.20 port 60180 ssh2
May 10 17:26:58 client4 sshd[29698]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ldapsvr  user=d
May 10 17:26:59 client4 sshd[29698]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=ldapsvr user=d
May 10 17:26:59 client4 sshd[29698]: pam_sss(sshd:account): Access denied for user d: 6 (Permission denied)
May 10 17:26:59 client4 sshd[29698]: Failed password for d from 192.168.122.20 port 60180 ssh2
May 10 17:26:59 client4 sshd[29699]: fatal: Access denied for user d by PAM account configuration

Based on info from several sites, I tried commenting out the pam_sss line in /etc/pam.d/password-auth which definitely allows user 'd' in; however, it also allows everyone else in too... kind of defeats the whole purpose.

My latest sssd.conf file is below. Could someone point in the direction of what I've messed up? Any hints/tips/suggestions greatly appreciated.

Doug O'Leary

Code: Select all

[sssd]
services = nss, pam
config_file_version = 2
domains = default
enumerate = true

[domain/default]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
#-------------------------------------------
cache_credentials = True
#-------------------------------------------
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
#-------------------------------------------
ldap_search_base = dc=oci,dc=com
ldap_user_search_base = ou=users,dc=oci,dc=com
ldap_group_search_base = ou=groups,dc=oci,dc=com
ldap_uri = ldaps://ldapsvr.olearycomputers.com
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = allow
#-------------------------------------------
ldap_access_order = filter
ldap_access_filter = memberOf=cn=infra,ou=groups,dc=oci,dc=com
# ldap_access_filter = memberOf=cn=infra
# ldap_access_filter = (|(memberOf=cn=dba,ou=groups,dc=oci,dc=com)(memberOf=cn=infra,ou=groups,dc=oci,dc=com))

[[empty sections snipped]]

[dkoleary]

Hey;

I found out what the problem is; not sure how to solve it yet, though. The core issue is that I didn't have the memberof overlay defined in my directory. Without that, there is not memberof functionality. Now, I have to figure out the posixgroup/groupofnames structural conflict... that'll be a different post, though.

Doug O'Leary

[lray]

Were you ever able to figure out how to get this working? I have the exact same problem.