Am Mon, May 09, 2022 at 01:54:00PM +0200 schrieb Bo Riis Toelberg Kristensen: > Hi > > I'm trying to authenticate users based on group membership in our Google > LDAP directory. > I can authenticate just fine without the 'ldap_access_filter' but when I > enable it they still authenticate even when the user is not a group member. > Additionally I don't see any check of the group membership in the logs, so > I must be doing something wrong. Please help me. > > My sssd.conf > > *[sssd]services = nss, pamdomains = domain.dk > <http://domain.dk>[domain/domain.dk <http://domain.dk>]# Base > settingsdebug_level = 8id_provider = ldapauth_provider = > ldapaccess_provider = ldapldap_access_order = filterldap_id_use_start_tls = > trueldap_uri = ldaps://ldap.google.com > <http://ldap.google.com>ldap_search_base = > dc=domain,dc=comldap_user_search_base = > ou=Users,dc=domain,dc=comldap_group_search_base = > ou=Groups,dc=domain,dc=comldap_tls_cert = > /etc/sssd/google-ldap-client.crtldap_tls_key = > /etc/sssd/google-ldap-client.key# Disable TLS 1.3 of google LDAP don't > workldap_tls_cipher_suite = NORMAL:!VERS-TLS1.3# Access > controlldap_access_filter = (memberOf=CN=vpn,ou=Groups,dc=domain,dc=com)# > Google recommended settingsldap_schema = rfc2307bisldap_user_uuid = > entryUUID* > > I have been looking for any lines in the logs referencing my vpn group but > there is none. I have even tried switching to 'auth_provider = simple' but > there is no reference of the group check
Hi, I do not seen anything obviously wrong in your sssd.conf. 'auth_provider = simple' does not exists only 'access_provider = simple'. With PAM authentication and authorization are different steps, 'auth' and 'acct' in the related PAM configuration. Are you sure pam_sss is configured in the 'acct' section? Would it be possible to send logs with 'debug_level = 9' in the [pam] and [domain/...] section of sssd.conf? bye, Sumit > > Regards > Supergoof > > -- > ----CEGO A/S will as part of your communication and interaction with us > collect and process personal data about you. You can read more about our > collection and processing of your personal data and your rights as a data > subject at https://cego.dk/gdpr <https://cego.dk/gdpr>/ > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
