Hi I'm trying to authenticate users based on group membership in our Google LDAP directory. I can authenticate just fine without the 'ldap_access_filter' but when I enable it they still authenticate even when the user is not a group member. Additionally I don't see any check of the group membership in the logs, so I must be doing something wrong. Please help me.
My sssd.conf *[sssd]services = nss, pamdomains = domain.dk <http://domain.dk>[domain/domain.dk <http://domain.dk>]# Base settingsdebug_level = 8id_provider = ldapauth_provider = ldapaccess_provider = ldapldap_access_order = filterldap_id_use_start_tls = trueldap_uri = ldaps://ldap.google.com <http://ldap.google.com>ldap_search_base = dc=domain,dc=comldap_user_search_base = ou=Users,dc=domain,dc=comldap_group_search_base = ou=Groups,dc=domain,dc=comldap_tls_cert = /etc/sssd/google-ldap-client.crtldap_tls_key = /etc/sssd/google-ldap-client.key# Disable TLS 1.3 of google LDAP don't workldap_tls_cipher_suite = NORMAL:!VERS-TLS1.3# Access controlldap_access_filter = (memberOf=CN=vpn,ou=Groups,dc=domain,dc=com)# Google recommended settingsldap_schema = rfc2307bisldap_user_uuid = entryUUID* I have been looking for any lines in the logs referencing my vpn group but there is none. I have even tried switching to 'auth_provider = simple' but there is no reference of the group check Regards Supergoof -- ----CEGO A/S will as part of your communication and interaction with us collect and process personal data about you. You can read more about our collection and processing of your personal data and your rights as a data subject at https://cego.dk/gdpr <https://cego.dk/gdpr>/
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
