Hi guys (and girls if any)...
First of all - great piece of software. Merging the worlds of Linux and
Windows got pretty simple and advanced as well.
I've got sssd 1.11.6 on a CentOS 6.6 test box talking to AD on a Windows
2008R2. Password and public key auth are working almost out of the box.
Since I would like to restrict SSH access to my boxes, I discovered the
"ad_access_filter" and added a simple
ad_access_filter =
memberOf=CN=permunix.adm.tvie02s010,ou=permunix,ou=groups,ou=adm,dc=my01,dc=local
"Unfortunately" I have nested groups and in the group called
"permunix.adm.tvie02s010" there is another group that holds my admins -
called "permunix.adm.admins". Since there is a group in a group I could not
get any results that would match my user that is in the group "..admins".
When I do a simple id -a username, I get the both groups for my admin user.
But the login via SSH would fail with ...
[sdap_process_result] (0x2000): Trace: ldap_result found nothing!
My domain portion of sssd.conf looks like this:
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_search_base = dc=my01,dc=local
ldap_id_mapping = false
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_schema = ad
cache_credentials = false
ldap_user_ssh_public_key = extensionAttribute15
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = TVIE02S010$
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
ldap_krb5_ticket_lifetime = 28800
ldap_groups_use_matching_rule_in_chain = true
ldap_initgroups_use_matching_rule_in_chain = true
ldap_use_tokengroups = false
ldap_group_nesting_level = 5
debug_level = 9
ad_access_filter =
memberOf=CN=permunix.adm.tvie02s010,ou=permunix,ou=groups,ou=adm,dc=my01,dc=local
Any ideas why the LDAP_MATCHING_RULE_IN_CHAIN doesn't resolve the group
members?
When I use a simple ldapsearch on the console with
(&(sAMAccountName=myusername)(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=permunix.adm.tvie02s010,ou=permunix,ou=groups,ou=adm,dc=my01,dc=local))
I get one result with my user object... Since you parse the
ad_access_filter I cannot enter the LDAP_MATCHING_RULE_IN_CHAIN OID in the
filter itself.
Thank you in advance!