yessterday we ha a public holiday here. Now i am bach. ;-)
the uid is below 2000. If you want to know the real number: it is 1026.
But when i set the 2000 to 1000:
account sufficientpam_succeed_if.so uid 1000 quiet
i cannot login at all. Permission denied
With kind regards, ulrich
On
On 05/15/2015 03:07 AM, Ulrich Hiller wrote:
the uid is below 2000. If you want to know the real number: it is 1026.
I'm happy to help, but I have to point out that we've been chasing this
problem for ten days now, and the problem would be been pretty obvious
if you had not obscured the
On 05/12/2015 11:04 PM, m.r...@5-cent.us wrote:
Ulrich Hiller wrote:
i thought this too.
I think this:
access_provider = ldap
ldap_access_filter = memberOf=host=does-not-exist-host
ldap_access_order = filter
ldap_user_authorized_host = host
must confuse sssd so much that it denies
On 05/12/2015 11:47 AM, Ulrich Hiller wrote:
that's intersting. performing access check is really missing.
OK Your system is configured to not check users with uidNumber
2000. Your original message obscured the UID of the user you were
testing. What is it?
i thought this too.
I think this:
access_provider = ldap
ldap_access_filter = memberOf=host=does-not-exist-host
ldap_access_order = filter
ldap_user_authorized_host = host
must confuse sssd so much that it denies login. But the user without
host attribute can still login.
With kind regards,
Ulrich Hiller wrote:
that's intersting. performing access check is really missing.
also the sdap_access lines are not there. Therefore i do have:
(Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options]
(0x0400): Option ldap_access_filter has no value
(Tue May 12 13:16:20 2015)
that's intersting. performing access check is really missing.
also the sdap_access lines are not there. Therefore i do have:
(Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options]
(0x0400): Option ldap_access_filter has no value
(Tue May 12 13:16:20 2015) [sssd[be[default]]]
Ulrich Hiller wrote:
i thought this too.
I think this:
access_provider = ldap
ldap_access_filter = memberOf=host=does-not-exist-host
ldap_access_order = filter
ldap_user_authorized_host = host
must confuse sssd so much that it denies login. But the user without
host attribute can still
On 05/12/2015 06:25 AM, Ulrich Hiller wrote:
i have set logging in sssd to 9:
7 might be good enough for what you want to find. I added this to
domain/default section:
access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host
debug_level = 7
After that you'll probably have to turn up logging in sssd and check its
logs to see what it's doing.
i have set logging in sssd to 9:
cache_credentials = true
debug_level = 9
I first tried a user with the correct host attribute, then a user
without the host attribute. The output in the
-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of
Jonathan Billings
Sent: Saturday, May 09, 2015 4:25 PM
To: CentOS mailing list
Subject: Re: [CentOS] ldap host attribute is ignored
On May 8, 2015, at 11:14 AM, Ulrich Hiller hil...@mpia-hd.mpg.de wrote:
/etc/pam.d/system-auth
PM
To: CentOS mailing list
Subject: Re: [CentOS] ldap host attribute is ignored
one more thing: firewalld service and selinux are deactivated.
On 05/11/2015 07:06 PM, Ulrich Hiller wrote:
Hmmm, i have made now a complete new install but the problem
persists: ldap authentication works
Hate to say that we're running out of options. I had a CentOS 7 system
similar to yours, with LDAP authentication. I added three lines to
sssd.conf (for access provider, etc), restarted sssd, and users with no
host attribute were denied. I didn't actually test users with a host
On 05/11/2015 10:06 AM, Ulrich Hiller wrote:
Hmmm, i have made now a complete new install but the problem
persists: ldap authentication works, but the host attribute is ignored.
Hate to say that we're running out of options. I had a CentOS 7 system
similar to yours, with LDAP
1:40 PM
To: CentOS mailing list
Subject: Re: [CentOS] ldap host attribute is ignored
one more thing: firewalld service and selinux are deactivated.
On 05/11/2015 07:06 PM, Ulrich Hiller wrote:
Hmmm, i have made now a complete new install but the problem
persists: ldap authentication works
Hmmm, i have made now a complete new install but the problem
persists: ldap authentication works, but the host attribute is ignored.
I have installed CentOS7 64bit with KDE.
I did not do any 'yum update' or install of extra packages so far.
these pam and ldap packages are installed:
one more thing: firewalld service and selinux are deactivated.
On 05/11/2015 07:06 PM, Ulrich Hiller wrote:
Hmmm, i have made now a complete new install but the problem
persists: ldap authentication works, but the host attribute is ignored.
I have installed CentOS7 64bit with KDE.
I
On 05/09/2015 01:24 PM, Jonathan Billings wrote:
Is it normal to have pam_unix and pam_sss twice for each each section?
No. See my previous message. I think it's the result of copying
portions of SuSE configurations.
___
CentOS mailing list
On May 8, 2015, at 11:14 AM, Ulrich Hiller hil...@mpia-hd.mpg.de wrote:
/etc/pam.d/system-auth:
---
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired pam_env.so
authsufficient
But instead i get
centos: sshd[7929]: pam_unix(sshd:session): session opened for user
username
pam_unix should be an indication that username appears in the local
unix password files. Make sure that it doesn't.
Nope. None of the usernames i tried is in /etc/passwd or /etc/shadow
On 05/08/2015 08:14 AM, Ulrich Hiller wrote:
With kind regards, ulrich
Hm. I don't *see* the problem, so let me go about this in the opposite
direction. I added the host controls to one of my systems, and they
appear to work properly.
My configuration files were *mostly* written by
Thanks a lot for looking over the config.
I am at the topic user data is available
id username
and
getent passwd
and
ldapsearch -x -b ou=XXX,o=YYY uid=username
give the correct results
ldapsearch gives also the correct host attribute i have set in the ldap
server.
Regarding the manpage of
On 05/07/2015 12:07 PM, Ulrich Hiller wrote:
login with the wrong password gives a denied login.
login with the correct password always works.
This is my sitution since the begin of my thread.
Got it. I misread part of your last message, and thought that logins
were /not/ working when sssd
Thanks a lot for the explanation. I have confused some things while
crawling through the manuals.
Now i have removed the 'ldap' from the /etc/nsswitch.conf. Now it looks
like this:
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus
On 05/06/2015 07:24 AM, Ulrich Hiller wrote:
Now i have removed the 'ldap' from the /etc/nsswitch.conf. Now it looks
like this:
Looks good.
My /etc/openldap/ldap.conf is this:
OK, but that file isn't used for name service or authentication. Mostly
just the openldap tools (ldapsearch,
Hi,
'pam_check_host_attr yes' is in /etc/openldap/ldap.conf. /etc/ldap.conf
is a softlink to that file.
But still the host attribute is ignored.
With kind regards, ulrich
On 05/05/2015 12:32 PM, Ashish Yadav wrote:
Hi,
On Tue, May 5, 2015 at 3:32 PM, Ulrich Hiller hil...@mpia-hd.mpg.de
hi,
On 05/05/2015 12:02 PM, Ulrich Hiller wrote:
access_provider = ldap
ldap_access_filter = memberOf=ou=,o=
ldap_access_order = host
try instead of ldap_access_order = host parameter
ldap_access_filter = host='HOSTNAME' to use
regards, Kai
unfortunately i got a syntax error with this method ldap_access_filter
= host='HOSTNAME' and sssd did not restart.
i added the line
ldap_user_authorized_host = host
without success
I have to admit that i do not have any idea where to look for the problem:
- is it sssd? I have the version 1.12.2
On 05/05/2015 03:02 AM, Ulrich Hiller wrote:
/etc/openldap/ldap.conf contains the line:
--
pam_check_host_attr yes
/etc/openldap/ldap.conf is the configuration file for openldap clients.
It is not used for system authentication or name service.
Ulrich Hiller wrote:
unfortunately i got a syntax error with this method ldap_access_filter
= host='HOSTNAME' and sssd did not restart.
i added the line
ldap_user_authorized_host = host
without success
I have to admit that i do not have any idea where to look for the problem:
snip
google
Hi,
added, but no success.
My sssd.conf looks now so:
[sssd]
config_file_version = 2
services = nss,pam
domains = default
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/NAME] sections, and
# then add the list of domains (in the order you want
On 05/05/2015 06:47 PM, Gordon Messmer wrote:
On 05/05/2015 03:02 AM, Ulrich Hiller wrote:
/etc/openldap/ldap.conf contains the line:
--
pam_check_host_attr yes
/etc/openldap/ldap.conf is the configuration file for openldap clients.
It is
I already have seen this page, but it does not help me.
But anyway, thanks a lot for your help.
With kind regards, ulrich
On 05/05/2015 05:47 PM, m.r...@5-cent.us wrote:
Ulrich Hiller wrote:
unfortunately i got a syntax error with this method ldap_access_filter
= host='HOSTNAME' and sssd
Hi,
I am confused about what to do now.
Do i have to configure anything else in /etc/pam.d apart from system-auth?
IMO, you have to configure sssd.conf properly.
Please add ldap_user_authorized_host = host in your sssd.conf which you
have not configured.
After that please check again.
For
Hi,
On Tue, May 5, 2015 at 3:32 PM, Ulrich Hiller hil...@mpia-hd.mpg.de wrote:
Dear list members,
i have installed a CentOS 7 x86_64 system. I want to let users
authenticate over our ldap server. This seems to be working.
ldap-username and ldap-passwords are accepted for the users
Dear list members,
i have installed a CentOS 7 x86_64 system. I want to let users
authenticate over our ldap server. This seems to be working.
ldap-username and ldap-passwords are accepted for the users configured
in the ldap server. No problem.
Now i want to restrict the access to users who
On 05/05/2015 11:14 AM, Ulrich Hiller wrote:
On 05/05/2015 06:47 PM, Gordon Messmer wrote:
This is wrong. Don't use sss and ldap together. It's redundant. At
best it will cause performance problems.
Get rid of the ldap module and see if the system starts working
correctly with just sssd.
37 matches
Mail list logo
