On 화요일 2013-08-13 00:26, Ondrej Kos wrote:
> On 08/13/2013 12:34 AM, Kim wrote:
>> Hello List,
>>
>> I am trying to set up sssd to authenticate against an OSX LDAP server.
>> However, I only want to allow users that are in the VPN group. These
>> usernames are located at
>> cn=vpn,cn=groups,dc=server01,dc=castleaccess,dc=com under the memberUid
>> attribute. For graphical representation
>> (
http://linuxowns.com/images/ldap.png).
>>
>> Below is my sssd.conf which is a mess and it's not locating the users.
>> The rest of the credentials are fine being pulled from
>> dc=server01,dc=mydomain,dc=com. If I take out the ldap_user_search_base
>> parameter, SSSD will be able to find the users and authenticate... but
>> then it allows all of the users. Any help getting sssd to pull the
>> specified users would be greatly appreciated!
>>
>> /etc/sssd.conf
>>
>> [sssd]
>> config_file_version = 2
>> services = nss, pam
>> domains = default
>> debug_level = 10
>>
>> [nss]
>> filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
>>
>> [pam]
>>
>> [domain/default]
>>
>> id_provider = ldap
>> auth_provider = krb5
>> ldap_uri =
ldap://server01.mydomain.com
>> #ldap_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com
>> ldap_search_base = dc=server01,dc=mydomain,dc=com
>> ldap_user_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com
>> ldap_schema = rfc2307bis
>> #ldap_user_principal = memberUid
>> ldap_user_object_class = memberUid
>>
>> min_id = 1
>> max_id = 0
>> enumerate = False
>> ldap_id_use_start_tls = False
>> #chpass_provider = krb5
>> ldap_tls_cacertdir = /etc/openldap/cacerts
>> krb5_realm =
SERVER01.MYDOMAIN.COM
>> krb5_server =
server01.mydomain.com
>> chpass_provider = krb5
>> cache_credentials = True
>> krb5_kpasswd =
server01.mydomain.com
>>
>> /var/log/secure
>> Aug 12 14:34:01 myserver pppd[8686]: pam_unix(ppp:auth): authentication
>> failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0
>> user=tkawai
>> Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): authentication
>> failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0
>> user=tkawai
>> Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): received for
>> user tkawai: 10 (User not known to the underlying authentication module)
>>
>>
>
> Hello Kim,
>
> Have you tried configuring the simple access provider? see
> man 5 sssd-simple
> for more information. In your case it would mean adding following to
> the domain section:
>
> access_provider = simple
> simple_allow_groups = vpn
>
> Ondra
>
>
Thank you Ondra, I think this has solved my problem. I did not know
about the simple_allow_groups parameter.
-Kim
Glad to help Kim. You can also set the access_provider option to ldap
and specify ldap_access_filter (see man 5 sssd-ldap). It didn't hit me
when I replied to you, since the simple access provider is, well, simple :)
Ondra
--
Ondrej Kos
Associate Software Engineer
Identity Management - SSSD
Red Hat Czech