Am Tue, May 10, 2022 at 09:49:08AM +0200 schrieb Bo Riis Toelberg Kristensen: > Hi Sumit > > Thank you for taking the time to help me. > > You nailed it :-) > > In my PAM config I only had > "auth required pam_sss.so" > after adding > "account required pam_sss.so" > i now see the following in the sssd_domain.log > > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_send] (0x0400): > > Performing access check for user [[email protected]] > > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_filter_send] > > (0x0400): Performing access filter check for user [[email protected]] > > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_filter_send] > > (0x0400): Checking filter against LDAP > > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_print_server] (0x2000): > > Searching 216.239.32.58:636 > > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_get_generic_ext_step] > > (0x0400): calling ldap_search_ext with > > [(&(uid=br)(objectclass=posixAccount)(memberOf=cn=vpn,ou=groups,dc=domain,dc=dk))][uid=br,ou=Users,dc=domain,dc=dk]. > > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_get_generic_ext_step] > > (0x2000): ldap_search_ext called, msgid = 12 > > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_op_add] (0x2000): New > > operation 12 timeout 6 > > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_process_result] > > (0x2000): Trace: sh[0x5646f7c363a0], connected[1], ops[0x5646f7f1ffa0], > > ldap[0x5646f7c37e00] > > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_get_generic_op_finished] > > (0x0400): Search result: Success(0), no errmsg set > > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_op_destructor] (0x2000): > > Operation 12 finished > > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_filter_done] > > (0x0100): User [[email protected]] was not found with the specified filter. > > Denying access. > > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_filter_done] > > (0x0400): Access denied by online lookup > > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sysdb_ldb_msg_difference] > > (0x2000): Added attr [ldap_access_filter_allow] to entry [name= > > [email protected],cn=users,cn=domain.dk,cn=sysdb] > > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sysdb_set_entry_attr] > > (0x0200): Entry [[email protected],cn=users,cn=domain.dk,cn=sysdb] has > > set [cache, ts_cache] attrs. > > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_done] (0x0400): > > Access was denied. > > > > Thank you very much for helping
Hi, you're welcome, glad I could help. bye, Sumit > > Happy regards > Bo > > On Mon, 9 May 2022 at 18:48, Sumit Bose <[email protected]> wrote: > > > Am Mon, May 09, 2022 at 01:54:00PM +0200 schrieb Bo Riis Toelberg > > Kristensen: > > > Hi > > > > > > I'm trying to authenticate users based on group membership in our Google > > > LDAP directory. > > > I can authenticate just fine without the 'ldap_access_filter' but when I > > > enable it they still authenticate even when the user is not a group > > member. > > > Additionally I don't see any check of the group membership in the logs, > > so > > > I must be doing something wrong. Please help me. > > > > > > My sssd.conf > > > > > > *[sssd]services = nss, pamdomains = domain.dk > > > <http://domain.dk>[domain/domain.dk <http://domain.dk>]# Base > > > settingsdebug_level = 8id_provider = ldapauth_provider = > > > ldapaccess_provider = ldapldap_access_order = > > filterldap_id_use_start_tls = > > > trueldap_uri = ldaps://ldap.google.com > > > <http://ldap.google.com>ldap_search_base = > > > dc=domain,dc=comldap_user_search_base = > > > ou=Users,dc=domain,dc=comldap_group_search_base = > > > ou=Groups,dc=domain,dc=comldap_tls_cert = > > > /etc/sssd/google-ldap-client.crtldap_tls_key = > > > /etc/sssd/google-ldap-client.key# Disable TLS 1.3 of google LDAP don't > > > workldap_tls_cipher_suite = NORMAL:!VERS-TLS1.3# Access > > > controlldap_access_filter = (memberOf=CN=vpn,ou=Groups,dc=domain,dc=com)# > > > Google recommended settingsldap_schema = rfc2307bisldap_user_uuid = > > > entryUUID* > > > > > > I have been looking for any lines in the logs referencing my vpn group > > but > > > there is none. I have even tried switching to 'auth_provider = simple' > > but > > > there is no reference of the group check > > > > Hi, > > > > I do not seen anything obviously wrong in your sssd.conf. 'auth_provider > > = simple' does not exists only 'access_provider = simple'. With PAM > > authentication and authorization are different steps, 'auth' and 'acct' > > in the related PAM configuration. Are you sure pam_sss is configured in > > the 'acct' section? > > > > Would it be possible to send logs with 'debug_level = 9' in the [pam] > > and [domain/...] section of sssd.conf? > > > > bye, > > Sumit > > > > > > > > Regards > > > Supergoof > > > > > > -- > > > ----CEGO A/S will as part of your communication and interaction with us > > > collect and process personal data about you. You can read more about our > > > collection and processing of your personal data and your rights as a > > data > > > subject at https://cego.dk/gdpr <https://cego.dk/gdpr>/ > > > > > _______________________________________________ > > > sssd-users mailing list -- [email protected] > > > To unsubscribe send an email to [email protected] > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > > > > > -- > Venlig hilsen / Best regards > Bo Riis > > E-mail: [email protected] > > > CEGO A/S <http://www.cego.dk/>, Lauritzens Plads 1, 9000 Aalborg, Denmark > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please note that any views or opinions presented in this email are solely > those of the author and do not necessarily represent those of the company. > Finally, the recipient should check this email and any attachments for the > presence of viruses. The company accepts no liability for any damage caused > by any virus transmitted by this email. > > -- > ----CEGO A/S will as part of your communication and interaction with us > collect and process personal data about you. You can read more about our > collection and processing of your personal data and your rights as a data > subject at https://cego.dk/gdpr <https://cego.dk/gdpr>/ > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
