Hi Jakub,

I'm not sure if simple access is what I need.

I have setup in LDAP:

cn=allowedusers, ou=Groups
- using attribute: memberUid - and adding the users uid here.

ou=Employees, ou=People
- in Employees have users with objectClass: inetOrgPerson, posixAccount

ou=sudoers
- here have objectClass: sudoRole and creating cn= <username from Employees> and sudoUser = <username>

and also have a LDAP Proxy to Active Directory:
(*Note: for now, I'm commenting this section out and not connecting, but need to consider this to activate later)
- using this setup in slapd.conf:
    database        ldap
    suffix          "ou=Users,ou=adgroup,dc=ad,dc=something,dc=net"
    uri             ldap://ad1.something.net/
    rebind-as-user
    idassert-bind   bindmethod=simple
binddn="cn=bindingacctname,ou=users,ou=adgroup,dc=ad,dc=something,dc=net"
                credentials="<password>"
                mode=none
    idassert-authzFrom "*"
    chase-referrals yes
    subordinate

So, not sure if simple binding would be correct thing to do???



------ Original Message ------
From: "Jakub Hrozek" <[email protected]>
To: [email protected]
Sent: 7/28/2014 3:13:13 PM
Subject: Re: [SSSD] Trying to ssh with sssd/pam configuration

On Mon, Jul 28, 2014 at 07:01:16PM +0000, Sterling Sahaydak wrote:
 Hi Jakub,

 Greatly appreciate you taking the time and providing help!

 Answer to your questions:

 1) Can you also include debugging from the pam responder?

 Hmmm, yes - I want to, but having issues enabling the logging to:
 sssd_pam.log

I don't think we need that anymore, the reason is clear from
/var/log/secure..


 Seems like I have everything going to: sssd_LDAP.log

Obviously, I'm a unix newbie. If you can provide how to enable that would
 be greatly appreciated. Wasn't clear with syslog enabling?


2)I would suggest to not use enumerate=true unless some legacy application
 needs that.
 I've updated this to: enumerate=false

Thanks!



3) Why do you have two domains defined with the same server but access
 control defined only in the first one.

Hmmm, not sure here what 'defined only in the first one'? I'm sure it's a
 configuration setup issue on my part in not understanding.


Judging by the name 'default', I guess it was set up by authconfig,
default is the name authconfig uses for all its domains.



 4)The PAM config looks OK to me, although you might want to re-run
 # authconfig --enablesssdauth --enablesssd --update
 to make sure.
So... I entered "authconfig --enablesssdauth --enablesssd --update" on the
 cmd line but didn't see anything.

Normally this means the utility did its job :)



  5) Did you include 'sss' to /etc/nsswitch.conf?


 #passwd: files sss
 #shadow: files sss
 #group: files sss
 passwd: files sss
 group: files sss
 sudoers: files sss

 #hosts: db files nisplus nis dns
 hosts: files dns

 # Example - obey only what nisplus tells us...
 #services: nisplus [NOTFOUND=return] files
 #networks: nisplus [NOTFOUND=return] files
 #protocols: nisplus [NOTFOUND=return] files
 #rpc: nisplus [NOTFOUND=return] files
 #ethers: nisplus [NOTFOUND=return] files
 #netmasks: nisplus [NOTFOUND=return] files

 bootparams: nisplus [NOTFOUND=return] files

 ethers: files
 netmasks: files
 networks: files
 protocols: files
 rpc: files
 services: files sss

 netgroup: files sss

 publickey: nisplus

 automount: files
 aliases: files nisplus
 initgroups: files sss
 shadow: files sss


 What does /var/log/secure say when you attempt to authenticate?

Jul 28 14:54:10 ldap01 sshd[26892]: pam_unix(sshd:auth): authentication
 failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=54.215.207.210
 user=test1234
Jul 28 14:54:10 ldap01 sshd[26892]: pam_sss(sshd:auth): authentication
 failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=54.215.207.210
 user=test1234
Jul 28 14:54:10 ldap01 sshd[26892]: pam_sss(sshd:auth): received for user
 test1234: 6 (Permission denied)

^^^

OK, here we see the user was authenticated by SSSD, but not allowed
access by the access_provider of sssd.

In your config file I see:
    ldap_access_filter = cn=allowedusers,ou=Groups,dc=something,dc=net

That doesn't sound right to me, the ldap_access_filter is supposed to be
a filter applied when looking for the user.

If you want to restrict access to members of a group called
allowedusers, then I would suggest the simple access provider instead:

access_provider = simple
simple_allow_groups = allowedusers

See man sssd-simple for some examples and more info.

_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to