Hello List,
I am trying to set up sssd to authenticate against an OSX LDAP
server. However, I only want to allow users that are in the VPN
group. These usernames are located at
cn=vpn,cn=groups,dc=server01,dc=castleaccess,dc=com under the
memberUid attribute. For graphical representation
(http://linuxowns.com/images/ldap.png).
Below is my sssd.conf which is a mess and it's not locating the
users. The rest of the credentials are fine being pulled from dc=server01,dc=mydomain,dc=com.
If I take out the ldap_user_search_base
parameter, SSSD will be able to find the users and authenticate...
but then it allows all of the users. Any help getting sssd to
pull the specified users would be greatly appreciated!
/etc/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = default
debug_level = 10
[nss]
filter_users =
root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
[domain/default]
id_provider = ldap
auth_provider = krb5
ldap_uri = ldap://server01.mydomain.com
#ldap_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com
ldap_search_base = dc=server01,dc=mydomain,dc=com
ldap_user_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com
ldap_schema = rfc2307bis
#ldap_user_principal = memberUid
ldap_user_object_class = memberUid
min_id = 1
max_id = 0
enumerate = False
ldap_id_use_start_tls = False
#chpass_provider = krb5
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_realm = SERVER01.MYDOMAIN.COM
krb5_server = server01.mydomain.com
chpass_provider = krb5
cache_credentials = True
krb5_kpasswd = server01.mydomain.com
/var/log/secure
Aug 12 14:34:01 myserver pppd[8686]: pam_unix(ppp:auth):
authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2
ruser= rhost=ppp0 user=tkawai
Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth):
authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2
ruser= rhost=ppp0 user=tkawai
Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth):
received for user tkawai: 10 (User not known to the underlying
authentication module)