-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed 16 Jan 2013 10:44:03 AM EST, Daniel Laird wrote: > Many thanks for the help, > > We have updated the version of SSSD we are using to be: > 1.5.15-0ubuntu6~lucid2 > > I’ve set up our domain (EEMEA) with: > access_provider = ldap > ldap_access_order = filter > and an empty ldap_access_filter > > The logs suggest that this will deny any domain users who try to log on: > (Wed Jan 16 14:25:14 2013) [sssd[be[EEMEA]]] [sssm_ldap_access_init] (0): > Warning: LDAP access rule 'filter' is set, but no ldap_access_filter > configured. All domain users will be denied access. > However, this doesn’t bear out in reality: > (Wed Jan 16 14:25:19 2013) [sssd[be[EEMEA]]] [be_pam_handler] (4): Got > request with the following data > (Wed Jan 16 14:25:19 2013) [sssd[be[EEMEA]]] [pam_print_data] (4): command: > PAM_AUTHENTICATE > ..... > (Wed Jan 16 14:25:20 2013) [sssd[be[EEMEA]]] [be_pam_handler_callback] (4): > Backend returned: (0, 0, <NULL>) [Success] > > We normally have the following in our config: > cache_credentials = TRUE > enumerate = TRUE > I’ve also tried with these values set to False, with the same results. > > I’ve also tried: > access_provider = deny > and > access_provider = simple > simple_allow_users = bob > logging in as peter still succeeds, in both cases. > > > Any hints? Is this a problem with our config or this version of SSSD? > Many thanks for the help > Dan >
This is a problem with your config. The authentication step is expected to succeed. The denial should be happening during pam_acct_mgmt() which is later in the stack. I'm guessing your PAM stack is missing pam_sss.so in the 'account' stack. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlD20mgACgkQeiVVYja6o6O+tQCfRjZjTOtLi7XH3xAuCYKRGknq kusAnA12Dr6LKeXHbFirJ2o4m3ZnN90p =j6hi -----END PGP SIGNATURE----- _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
