Jakub,
I tried the modifying sssd.conf  to use  simple_allow_groups = idsldap
Still it is not working.One thing I would like to ask .is my configuration correct in system-auth and nsswitch.conf file?
Am i missing something.
Also one more thing I have noticed in /var/log/secure log file

Nov 11 13:34:58 bagira sshd[30879]: Address 9.118.25.17 maps to nitesh.in.ibm.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 11 13:35:00 bagira sshd[30879]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=9.118.25.17  user=nitback1
Nov 11 13:35:02 bagira sshd[30879]: Failed password for nitback1 from 9.118.25.17 port 4300 ssh2

In above log i do not see entry for pam_sss I;m not sure why is this...

Thanks

On Fri, Nov 11, 2011 at 2:33 PM, Jakub Hrozek <jhrozek@redhat.com> wrote:
On Fri, Nov 11, 2011 at 02:06:45PM +0530, Nitesh Mehare wrote:
>    Jakub,
>
>    The group entry looks like this
>
>    cn=idsldap,ou=People,o=sample
>    cn=idsldap
>    objectclass=posixgroup
>    objectclass=top
>    gidnumber=201
>    memberuid=nitpta2
>    memberuid=nitinst
>    memberuid=nitinst1
>    memberuid=nitback1
>
>    The group entry is under ou=people and any user is made member of a group
>    by adding the memberuid attribute so i have kept ldap_schema as rfc2307
>
>    Thanks
>

Then the schema is correct, but I don't think the access filter you are
using can work because with the rfc2307 schema the user lacks the memberof
attribute your filter uses to determine access.

Instead of using the "ldap" access control provider, I would suggest
using the "simple" provider. To allow only members of the "idsldap"
group:

access_provider = simple
simple_allow_groups = idsldap

See man "sssd-simple" for more information.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel