Jakub,
I tried the modifying sssd.conf to use simple_allow_groups = idsldap
Still it is not working.One thing I would like to ask .is my configuration correct in system-auth and nsswitch.conf file?
Am i missing something.
Also one more thing I have noticed in /var/log/secure log file
Nov 11 13:34:58 bagira sshd[30879]: Address 9.118.25.17 maps to nitesh.in.ibm.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 11 13:35:00 bagira sshd[30879]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=9.118.25.17 user=nitback1
Nov 11 13:35:02 bagira sshd[30879]: Failed password for nitback1 from 9.118.25.17 port 4300 ssh2
In above log i do not see entry for pam_sss I;m not sure why is this...
Thanks
On Fri, Nov 11, 2011 at 02:06:45PM +0530, Nitesh Mehare wrote:Then the schema is correct, but I don't think the access filter you are
> Jakub,
>
> The group entry looks like this
>
> cn=idsldap,ou=People,o=sample
> cn=idsldap
> objectclass=posixgroup
> objectclass=top
> gidnumber=201
> memberuid=nitpta2
> memberuid=nitinst
> memberuid=nitinst1
> memberuid=nitback1
>
> The group entry is under ou=people and any user is made member of a group
> by adding the memberuid attribute so i have kept ldap_schema as rfc2307
>
> Thanks
>
using can work because with the rfc2307 schema the user lacks the memberof
attribute your filter uses to determine access.
Instead of using the "ldap" access control provider, I would suggest
using the "simple" provider. To allow only members of the "idsldap"
group:
access_provider = simple
simple_allow_groups = idsldap
See man "sssd-simple" for more information.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel