On 08/13/2013 12:34 AM, Kim wrote:
> Hello List,
>
> I am trying to set up sssd to authenticate against an OSX LDAP server.
> However, I only want to allow users that are in the VPN group. These
> usernames are located at
> cn=vpn,cn=groups,dc=server01,dc=castleaccess,dc=com under the memberUid
> attribute. For graphical representation
> (
http://linuxowns.com/images/ldap.png).
>
> Below is my sssd.conf which is a mess and it's not locating the users.
> The rest of the credentials are fine being pulled from
> dc=server01,dc=mydomain,dc=com. If I take out the ldap_user_search_base
> parameter, SSSD will be able to find the users and authenticate... but
> then it allows all of the users. Any help getting sssd to pull the
> specified users would be greatly appreciated!
>
> /etc/sssd.conf
>
> [sssd]
> config_file_version = 2
> services = nss, pam
> domains = default
> debug_level = 10
>
> [nss]
> filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
>
> [pam]
>
> [domain/default]
>
> id_provider = ldap
> auth_provider = krb5
> ldap_uri =
ldap://server01.mydomain.com
> #ldap_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com
> ldap_search_base = dc=server01,dc=mydomain,dc=com
> ldap_user_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com
> ldap_schema = rfc2307bis
> #ldap_user_principal = memberUid
> ldap_user_object_class = memberUid
>
> min_id = 1
> max_id = 0
> enumerate = False
> ldap_id_use_start_tls = False
> #chpass_provider = krb5
> ldap_tls_cacertdir = /etc/openldap/cacerts
> krb5_realm =
SERVER01.MYDOMAIN.COM
> krb5_server =
server01.mydomain.com
> chpass_provider = krb5
> cache_credentials = True
> krb5_kpasswd =
server01.mydomain.com
>
> /var/log/secure
> Aug 12 14:34:01 myserver pppd[8686]: pam_unix(ppp:auth): authentication
> failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0
> user=tkawai
> Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): authentication
> failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0
> user=tkawai
> Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): received for
> user tkawai: 10 (User not known to the underlying authentication module)
>
>
Hello Kim,
Have you tried configuring the simple access provider? see
man 5 sssd-simple
for more information. In your case it would mean adding following to
the domain section:
access_provider = simple
simple_allow_groups = vpn
Ondra
Thank you Ondra, I think this has solved my problem. I did not know
about the simple_allow_groups parameter.
-Kim