Many thanks for the help, We have updated the version of SSSD we are using to be: 1.5.15-0ubuntu6~lucid2
I’ve set up our domain (EEMEA) with: access_provider = ldap ldap_access_order = filter and an empty ldap_access_filter The logs suggest that this will deny any domain users who try to log on: (Wed Jan 16 14:25:14 2013) [sssd[be[EEMEA]]] [sssm_ldap_access_init] (0): Warning: LDAP access rule 'filter' is set, but no ldap_access_filter configured. All domain users will be denied access. However, this doesn’t bear out in reality: (Wed Jan 16 14:25:19 2013) [sssd[be[EEMEA]]] [be_pam_handler] (4): Got request with the following data (Wed Jan 16 14:25:19 2013) [sssd[be[EEMEA]]] [pam_print_data] (4): command: PAM_AUTHENTICATE ..... (Wed Jan 16 14:25:20 2013) [sssd[be[EEMEA]]] [be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) [Success] We normally have the following in our config: cache_credentials = TRUE enumerate = TRUE I’ve also tried with these values set to False, with the same results. I’ve also tried: access_provider = deny and access_provider = simple simple_allow_users = bob logging in as peter still succeeds, in both cases. Any hints? Is this a problem with our config or this version of SSSD? Many thanks for the help Dan ________________________________ From: Timo Aaltonen <[email protected]> To: [email protected] Sent: Tuesday, 15 January 2013, 7:58 Subject: Re: [SSSD-users] Problem limiting access to Users in Certain AD groups. On 14.01.2013 23:28, Jakub Hrozek wrote: > On Mon, Jan 14, 2013 at 08:37:56PM +0000, Daniel Laird wrote: >> I am stuck with Ubuntu 10.04 (no chance of upgrading our servers). >> This means I am currently running SSSD 1.0.5. > > This is a very, very old version of SSSD. It hasn't been supported in > ages. > >> >> I want to limit which users can login. >> In later versions I believe I would use >> 'ldap_access_filter' >> > > Does that version have the "simple" access provider (man sssd-simple). > If so, you could use that one. > >> This would allow only users in the specified groups to login. >> >> Given my limitation on the version of SSSD can anyone help me achieve the >> same or is it not possible? >> >> I am a bit scared of rebuilding newer versions of SSSD. >> > > I would really urge you to upgrade. I'm CC-ing Timo Aaltonen, the Ubuntu > SSSD maintainer. > > Timo, do you have maybe any PPA for 10.04 with more recent SSSD > versions? yep, the updates PPA has 1.5.15 for 10.04: https://launchpad.net/~sssd/+archive/updates -- t _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
