Hello List,

I am trying to set up sssd to authenticate against an OSX LDAP server. However, I only want to allow users that are in the VPN group. These usernames are located at cn=vpn,cn=groups,dc=server01,dc=castleaccess,dc=com under the memberUid attribute. For graphical representation (http://linuxowns.com/images/ldap.png).

Below is my sssd.conf which is a mess and it's not locating the users. The rest of the credentials are fine being pulled from dc=server01,dc=mydomain,dc=com. If I take out the ldap_user_search_base parameter, SSSD will be able to find the users and authenticate... but then it allows all of the users. Any help getting sssd to pull the specified users would be greatly appreciated!

/etc/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
domains = default
debug_level = 10

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd

[pam]

[domain/default]

id_provider = ldap
auth_provider = krb5
ldap_uri = ldap://server01.mydomain.com
#ldap_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com
ldap_search_base = dc=server01,dc=mydomain,dc=com
ldap_user_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com
ldap_schema = rfc2307bis
#ldap_user_principal = memberUid
ldap_user_object_class = memberUid

min_id = 1
max_id = 0
enumerate = False
ldap_id_use_start_tls = False
#chpass_provider = krb5
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_realm = SERVER01.MYDOMAIN.COM
krb5_server = server01.mydomain.com
chpass_provider = krb5
cache_credentials = True
krb5_kpasswd = server01.mydomain.com

/var/log/secure
Aug 12 14:34:01 myserver pppd[8686]: pam_unix(ppp:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0  user=tkawai
Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0 user=tkawai
Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): received for user tkawai: 10 (User not known to the underlying authentication module)