For simple access control you can refer the man page "man sssd-simple" for details on "simple_allow_groups". For "memberOf" filter I think "memberOf" attribute needs to be enabled on the openldap server, directory servers has it by default.(including AD)
https://www.openldap.org/doc/admin24/guide.html#:~:text=the%20group%20entry.-,12.8.2.%20Member%20Of%20Configuration,-The%20typical%20use Regards, Ashok On Mon, May 9, 2022 at 5:24 PM Bo Riis Toelberg Kristensen <[email protected]> wrote: > Hi > > I'm trying to authenticate users based on group membership in our Google > LDAP directory. > I can authenticate just fine without the 'ldap_access_filter' but when I > enable it they still authenticate even when the user is not a group member. > Additionally I don't see any check of the group membership in the logs, so > I must be doing something wrong. Please help me. > > My sssd.conf > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *[sssd]services = nss, pamdomains = domain.dk > <http://domain.dk>[domain/domain.dk <http://domain.dk>]# Base > settingsdebug_level = 8id_provider = ldapauth_provider = > ldapaccess_provider = ldapldap_access_order = filterldap_id_use_start_tls = > trueldap_uri = ldaps://ldap.google.com > <http://ldap.google.com>ldap_search_base = > dc=domain,dc=comldap_user_search_base = > ou=Users,dc=domain,dc=comldap_group_search_base = > ou=Groups,dc=domain,dc=comldap_tls_cert = > /etc/sssd/google-ldap-client.crtldap_tls_key = > /etc/sssd/google-ldap-client.key# Disable TLS 1.3 of google LDAP don't > workldap_tls_cipher_suite = NORMAL:!VERS-TLS1.3# Access > controlldap_access_filter = (memberOf=CN=vpn,ou=Groups,dc=domain,dc=com)# > Google recommended settingsldap_schema = rfc2307bisldap_user_uuid = > entryUUID* > > I have been looking for any lines in the logs referencing my vpn group but > there is none. I have even tried switching to 'auth_provider = simple' but > there is no reference of the group check > > Regards > Supergoof > > ---- > CEGO A/S will as part of your communication and interaction with us > collect and process personal data about you. You can read more about our > collection and processing of your personal data and your rights as a data > subject at https://cego.dk/gdpr/ > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
