If you have the memberOf plugin enabled (and appropriate objectclasses on your accounts), you can use the following ldap_access_filter rule:
Try taking out access_provider, if I'm not mistaken that is to be used with the host attribute and pam must have pam_sss.so
Another thing you can do is
access_provider = simple
simple_allow_users = jsmith,bjensen
simple_allow_groups = itgroup
Which will work for ldap groups too.
Dan
> --
On May 28, 2013, at 5:45 PM, Fosiul Alam <fosiul@gmail.com> wrote:
> Hi Bellow is my sssd.conf
>
> with bellow setting, user cant login.
> but if i remove ldap_access_filter , then all user can access
>
> What i am doing wrong...
> i just want user from "techops" group to access this server..
>
>
> any help will be really grateful .
>
> [sssd]
> config_file_version = 2
> services = nss, pam
> domains = LDAP
>
> [nss]
> filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
>
> [pam]
>
> [domain/LDAP]
> id_provider = ldap
> auth_provider = ldap
> ldap_schema = rfc2307
> ldap_uri = ldap://auth2.xxxxxx.lan/,ldap://auth1.xxxxxxxlan/
> ldap_search_base = l=uk,dc=xxxx,dc=lan
> ldap_tls_reqcert = demand
> cache_credentials = true
> enumerate = true
> debug_level = 10
> ldap_tls_cacertdir = /etc/openldap/xxx/
> ldap_tls_cert = /etc/openldap/cacerts/CA-xxx.crt
> access_provider = ldap
> ldap_access_filter = memberUid=cn=techops,ou=groups,l=uk,dc=xxxx,dc=lan
> #entry_cache_timeout = 600
> #ldap_network_timeout = 3
>
>
> and the log i get from secure file
>
> 2013-05-28T22:13:02.782543+01:00 uk-xxxxx-1 sshd[4172]: pam_sss(sshd:auth): received for user mtest: 9 (Authentication service cannot retrieve authentication info)
> 2013-05-28T22:13:04.597478+01:00 uk-xxxx-1 sshd[4172]: Failed password for mtest from xxx.xx.xx.xx port 52664 ssh2
>
>
> Thanks
>
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users